Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxies, opensource and the general market: what's wrong with us?

From: Claudio Telmon <claudio () telmon org>
Date: Wed, 27 Apr 2011 23:59:52 +0200
On 04/27/2011 10:52 PM, David Lang wrote:


however, as proxy firewalls are dieing, new devices with the type of
checking that proxies do are becoming more common.



I don't think so. No product that I'm aware of has the same "default
deny" on the low level attacks that a proxy has. Again, the recent
"split handshake" problems are a clear example: packet filters "try to
guess" the proper session state, while there is no way to cheat a proxy
into letting a connection in if it's not permitted (up to TCP/UDP, I
mean). Packet-handling tools, be it filters, IDS or something else,
however, are probably "good enough" for the market.


doing the checking with a proxy listening to a specific port should be
significantly easier thatn checking for all protocols on all connections
passing through the devices.



It is, actually, if it's TCP. For what I remember as I wrote some code
in this area, UDP is much more of a nightmare. This is why I say that
proxies are good for some protocols (e.g. http) where you can benefit
from tight controls, but you still need a packet filter underneath for
other protocols: you can't punch a hole in a proxy for a new, unknown
and "essential" protocol.

ciao

- Claudio

-- 

Claudio Telmon
claudio () telmon org
http://www.telmon.org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: