RE: on-the-fly-analysis vs. proxy rewrites

["Marcus J. Ranum" <mjr () ranum com>]

Behm, Jeffrey L. wrote:
> My sometimes jaded view is that the proxy rewrites the traffic to
> conform to whatever the proxy writer wrote.

Typically, a proxy also only carries a _subset_ of a full protocol.
That's based on a combination of observation and the designer's
assessment of what is "necessary" and "safe". For example,
a proxy might implement basic SMTP for mail collection and
trap all  ESMTP commands to a subroutine that only knows
how to return a "command unknown" error. A boundary DNS
proxy might know how to issue queries but might not even
contain code that knows how to do a zone transfer - and
by omitting that code entirely you can be fairly confident
that any vulnerabilities in that code-branch will not work
against the proxy or systems behind it.

A gateway device has absolutely no reason to implement a
full application protocol stack beyond the absolute minimum
necessary to get the data back and forth. So a proxy serves
not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards