Firewall Wizards mailing list archives
RE: on-the-fly-analysis vs. proxy rewrites
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Fri, 10 Feb 2006 09:21:02 -0600
On Friday, February 10, 2006 8:55 AM, Darren Reed so wrote:On Wednesday, February 08, 2006 5:39, PM Jeff Behm wrote:On Wednesday, February 08, 2006 1:27 AM, Darren Reed so wrote:On Tuesday, February 07, 2006 12:50 PM, Dave Piscitello so spake:An interesting exercise for this list - possibly a new thread? -
is
"what security policies are best enforced by implementing"on-the-flyanalysis" versus "what security policies are best enforced by
proxy
rewrites".How is one different to the other ? How is a proxy not doing something "on the fly" ?My sometimes jaded view is that the proxy rewrites the traffic to conform to whatever the proxy writer wrote. Hopefully, that matches
up
with some standard protocol to _provide_ the security. I.E. You get
the
security from the proxy writer having rewritten your traffic. It's
doing
*something,* true, but it's not "checking" anything. It's just not re-writing any *bad* stuff.That is still "on the fly". The original question (however flawed it was), wanted to compare "on the fly" vs proxy. I'd assert that in nearly all cases, except for SMTP, the proxy IS "on the fly".
Hmmmm...contemplating...should I respond or let this die?...It's only a small technical point I'm trying to make here anyway... I can see how one could assert that, but I feel you're leaving off a very important and meaning-changing word from the OP's question. That word is "analysis." Proxy stuff *is* on-the-fly, but (IMHO) it is *not* on-the-fly-analysis, which is what the OP asked to compare. It's just taking a request and rewriting it to conform to the proxy writer's interpretation of the standard protocol (as MJR eloquently pointed out, (paraphrased) "The proxy writer should only implement that part of the protocol that is absolutely necessary, i.e. a subset of the entire protocol."). Quote from MJR from another post... "<mjr>So a proxy serves not only as an application protocol validation sieve, it's also sort of an application protocol minimizer.</mjr>" On the fly *analysis* (to me) means looking at the data in the different layers and verifying they are "correct" (whatever that means) against the standard. I.E. Analyzing the data. The proxy parses the data and rewrites it based on the proxy writer's implementation, but the proxy isn't "enforcing" or analyzing the data. It's just rewriting it to conform. A subtle, but important difference that I tried to make when I said "It's doing something, but it's not checking anything." I should have changed "checking" to "analyzing." We're really a bit OT chasing a tangent here, and I almost didn't respond, but I believe it is a important distinction to make. Also, I'm not sure anyone has really answered the OQ... Jeff _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- on-the-fly-analysis vs. proxy rewrites Behm, Jeffrey L. (Feb 07)
- Re: on-the-fly-analysis vs. proxy rewrites Gabriele Buratti (Feb 08)
- Re: on-the-fly-analysis vs. proxy rewrites Darren Reed (Feb 08)
- <Possible follow-ups>
- RE: on-the-fly-analysis vs. proxy rewrites Behm, Jeffrey L. (Feb 08)
- Message not available
- RE: on-the-fly-analysis vs. proxy rewrites Marcus J. Ranum (Feb 08)
- Message not available
- Re: on-the-fly-analysis vs. proxy rewrites Darren Reed (Feb 19)
- RE: on-the-fly-analysis vs. proxy rewrites Hawkins, Michael (Feb 09)
- Re: on-the-fly-analysis vs. proxy rewrites Dave Piscitello (Feb 09)
- Message not available
- RE: on-the-fly-analysis vs. proxy rewrites Marcus J. Ranum (Feb 09)
- Re: on-the-fly-analysis vs. proxy rewrites ArkanoiD (Feb 19)