Firewall Wizards mailing list archives

Re: Gauntlet 6 "adaptive proxy"

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 18 Aug 2004 08:59:51 +0200 (CEST)

Hello!

Kevin Kadow wrote:

I know it's ancient (but vendor supported until 2005), but can
anybody share insight into this Gauntlet feature?


Not so ancient as not to have some of them still running
here. Since gauntlet-users is de-facto dead, this is probably the
right place to ask.

I'm trying to eke out every bit of performance I can from my old
GFW6.0 machines, and have been told that I should turn on
"adaptive proxy" to boost HTTP and FTP performance.

The docs imply a security trade-off, but do not give details.


The adaptive proxy is a hybrid approach developed as a reaction
to market pressure. Application level gateways are so sloooow,
compared to stateful inspection, you know ;-)

What it does is roughly this:

The connection is still routed through the transparency layer
and up to the proxy serving the protocol in question.
Three-way-handshake, accept(), all done the regular way.
The proxy does all the policy checks just as it would in
the non-adaptive case. Proxies that actually have some layer 7
intelligence (like http-pdk) will do the configured checks
("only GET/POST" or whatever), too.

Once the connection passed all policy checks, the proxy will
generate an on-the-fly packet filter rule permitting all
following packets of the connection through. So from this moment
on forwarding is done by the packet filter layer avoiding the
context switches to the proxy process.

This may allow for some very cleverly composed attacks,
OTOH it may not. I'm feeling quite comfortable with this aproach
and use it in most installations today.

HTH,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit

+-----------------------------------+
|   EuroBSDCon 2004 in Karlsruhe!   |
|       29. - 31. 10. 2004          |
|   http://www.eurobsdcon2004.de/   |
+-----------------------------------+

-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Gauntlet 6 "adaptive proxy" Kevin Kadow (Aug 17)
- Re: Gauntlet 6 "adaptive proxy" Patrick M. Hausen (Aug 18)
- <Possible follow-ups>
- RE: Gauntlet 6 "adaptive proxy" Shivdasani, Meenoo (Aug 20)
- Re: Gauntlet 6 "adaptive proxy" Kevin Kadow (Aug 22)
- RE: Gauntlet 6 "adaptive proxy" Shivdasani, Meenoo (Aug 23)
- Re: Gauntlet 6 "adaptive proxy" Kevin Kadow (Aug 25)