Firewall Wizards mailing list archives
Re: What is a proxy?
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 25 Jan 2001 12:18:06 -0500
Robert Graham wrote:
My question is this: has anybody done a review of the proxies out there (specifically HTTP, SMTP, POP3, etc.) that measures the degree to which the proxy service "cleanses" information passing through it?
<snip>
Likewise, do people consider this an important issue?
Speaking from the user, not the vendor, side of things: Considering the marketing behind proxies, their perceived and real advantages, and their potential for added functionality, I'd say it is *mandatory* to understand to what level a protocol or application is actually being proxied. This includes what decisions are being made about things like the safety of certain options, headers, buffer limits, known-exploit-pattern checking, etc. This understanding is necessary not only to choose an appropriate product but also to realistically assess the assumed risk, properly set expectations, create policies about application usage, apply rule-sets, troubleshoot problems, and interpret logs. Not having read any commercial firewall documentation in a long while, I don't know if this type of information is in the manual. The marketing literature sometimes has check-offs indicating individual protocols or applications that are proxied but I've never seen any details. I'd guess the issue is similar to the inner workings of intrusion detection, anti-virus, and vulnerability scanners. Without knowing what they're really doing, we're forced to assess the accuracy of their reports and even their suitability to task by deploying them rather than being able to perform an analysis on their implementation. At best, we have to depend upon trade magazine tests, peer tests, limited time evaluations, open disclosure lists, etc. While I certainly wouldn't want to examine anti-virus detection pattern logic, the smaller number of proxies makes examination of them a realistic endeavor on the part of the consumer. As an aside, it would be nice to have the vulnerability and intrusion detection logic available too. Being much more numerous than proxies, reviews would probably be done by testing groups (and competitors :) rather than individual end users but the end user would find value in being able to examine the logic when investigating both false and true detections. Back to firewalls. Some proxy developers will conscientiously implement full protocol/ application implementations but some may simply satisfy RFP checkoff points by implementing a banner filter and a blind relay as you suggested. Since some companies view facts about these implementations as proprietary information giving them marketing advantages we're put in the position of being at their mercy...the old trust issue again :) I suspect the growing popularity of open-source security tools, corporate GUI/turn-key-security-policy purchases notwithstanding, is the result of this uncertainty. Playing Devil's Advocate for the moment: a) There is the possibility that of some of today's protocols and applications are inherently insecure regardless of proxy logic and the only thing keeping them more secure than an open network is the obscurity of the proxy implementation. b) It may be a practical impossibility to describe the inner workings of a proxy in sufficient detail for a thorough analysis without publishing the source code which, again, brings up issues of intellectual property, competitive advantage, and "need to know" security. c) The proxies may change so often that providing updated documentation becomes a significant effort. I anxiously await any answers to the question you posed. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Air gap technologies Avi Rubin (Jan 16)
- Re: Air gap technologies Paul Cardon (Jan 18)
- <Possible follow-ups>
- RE: Air gap technologies Stiennon,Richard (Jan 16)
- Re: Air gap technologies Crispin Cowan (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)
- Re: Air gap technologies Crispin Cowan (Jan 19)
- Re: Air gap technologies Avi Rubin (Jan 19)
- RE: Air gap technologies Robert Graham (Jan 22)
- What is a proxy? Robert Graham (Jan 24)
- RE: What is a proxy? Andreas Haug (Jan 25)
- Re: What is a proxy? Gary Flynn (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Message not available
- Re: What is a proxy? Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 18)
- Message not available
- pcanywhere encryption hermit1 (Jan 26)
- Re: pcanywhere encryption Crist Clark (Jan 29)
- Re: pcanywhere encryption Randy Witlicki (Jan 29)
- Re: pcanywhere encryption Adam Shostack (Jan 29)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)