Firewall Wizards mailing list archives
Re: Query: Why bother with an application proxy over stateful packet filtering?
From: william fitzgerald <wfitzgerald () tssg org>
Date: Mon, 27 Aug 2007 16:36:00 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Andy. You've given me food for thought. First point: While agree with you view of controlling telnet or in appropriate protocols across a firewall as compared with using a more fine grained web proxy, i can still by pass the proxy via "httptunnel" for example. So both proxy and firewall can be equally subverted internally via out bound traffic to a rogue service listening on a http port. Second Point: also iptables could use its "string matching" to filter in appropriate sites that match content keywords or even based on a black-hole list. I guess I am still struggling to see any real benefits as of right now apart from the obvious web caching abilities but thats not what this discussion is about. I will dig deeper, starting with Patrick Hausen's reading list (previous post reply) first and move from there. regards, Will. PS: i drive a Mazda B2500 4X4. I too am interested in 4x4's also and I plan on getting an old cheap jeep to enjoy some off-roading as a hobby. Andy Cunningham wrote:
william fitzgerald nearly made me spill my Shiraz on 08/27/2007 03:05 PM by writing:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Experts, I am interested in knowing ore about network access control via various kinds of firewalls. I am wondering why would the be a need to web up a proxy such as a web proxy (Squid) instead of just using a stateful packet filtering firewall (iptables) only in a network?The two usual reasons are protocol enforcement and content filtering. A stateful packet inspection firewall will allow anything you like once the initial TCP handshake has been approved, so there's nothing stopping me setting up a telnet server on port 80 and connecting to that from inside the office. If the only thing allowed to communicate to the firewall is the proxy server, you know you're only ever doing http. There are a number of plugins for proxy servers that mean you can filter inappropriate sites and otherwise control access in ways a pure firewall can't. Some of this functionality is available in some newer firewalls systems if you want a single device. Hope that helps. Andy
- -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG0u9fIcwlebz1MmwRAnwcAKDV1HGEStrEAoByig3iHKDx3xqLtACgycxc XHQbBu8SUU0uGyNdODoCvQI= =KRqS -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Query: Why bother with an application proxy over stateful packet filtering? william fitzgerald (Aug 27)
- Re: Query: Why bother with an application proxy over stateful packet filtering? Patrick M. Hausen (Aug 27)
- Message not available
- Re: Query: Why bother with an application proxy over stateful packet filtering? william fitzgerald (Aug 27)
- Re: Query: Why bother with an application proxy over stateful packet filtering? Marcin Antkiewicz (Aug 27)