Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: david () lang hm
Date: Wed, 27 Apr 2011 17:20:17 -0700 (PDT)
On Thu, 28 Apr 2011, ArkanoiD wrote:
On Wed, Apr 27, 2011 at 01:52:48PM -0700, David Lang wrote:I think there is some room for a HTTP or XML firewall checker to be implemented and satisfy a lot of needs (technical needs that is, when management makes a decision that "all firewalls are going to be Cisco" or even "all firewalls must be commercial appliances" that trumps all technical issues), but right now I am not aware of any free tools in these spaces, completely ignoring the 'learning modes' of many of the commercial offerings.At the moment I am trying to offload non protocol-related http checks to external ICAP filters.. For XML, I have some raw prototype, but I do not like the fact it is based on libxml2 and inherits all potential vulnerabilities (as it is a huge piece of code) and still there is a lack of automated tool that can be used to "formalize" "normal" xml flow to check for anomalies later. For several well-documented protocols it is not needed, but aiming at SOA it is probably a must :-(
I'm happy to hear of this work, is the prototype available somewhere?
openfwtk hasn't hit this yet for me as the key thing that I use FWTK for is the authenticated proxies and the last I checked it doesn't have an authsrv equivalent (or the ability for it's proxies to tie in to an authentication source).You must be missing something, authsrv is the part that required several fixes, so it is there for sure, a few years at least and it is really improved much. Multiple groups per user are allowed, authentication sources may be checked against netperm-table (you may write rules that restrict authentication to a given proxy, or a given host), unix local socket is supported as transport to avoid writing complicated "loopback prevention" rules, etc etc.
yep, I did miss it. I'll have to take another look at it. does it use the same over-the-wire protocol as the fwtk authsrv (so that I can use the existing proxies?)
I am thinking about adding radius and/or pam backends support, but still had no time to implement that.
there's a authsrv pam module floating around already for fwtk, and I comissioned a tool as part of openradius that allows it to talk to authsrv to do authentication (I've got a config to enable SNK tokens and plain passwords, I don't know how it would work with other authentication types), unfortunantly it looks as if openradius is dead as there has not been a release in a long time (not even with the functionality that I commissioned)
this is very definantly not the 'single API, similar code' situation that you are saying that you want, but I'm not sure how much of a requirement that is.
openfwtk also isn't the complete solution that Arknoid painted it to be, for many things it just says 'use tool X', which is a good thing to avoid re-inventing the wheel, but it doesn't result in the firewall API that he is looking for.Unfortunately it still is not :-( Lack of resources, that's is. Reimplementing full IMSpector, GreenSQL and privoxy functionality is not non-trivial, it is just time consuming. Until that you need extra tools.There is noting wrong in the fact you need other tools that are outside OpenFWTK scope, though, like Prelude, log analyzers, etc.
I have no problem saying that things like log analysers are out of scope, but (at least when initially released) the documentation was saying that things like ssh and http were out of scope (and with telnet and FTP being so insecure, I was remembering that you didn't implement them, leaving little that would use authentication, which is probably why I was thinking that authsrv wasn't implemented)
I actually don't have an objection to the firewall being a collection of different tools gathered togeather (that's just good code re-use in the best opensource tradition), it may require some tweaks to code, or some scripts to create the appropriate config files for some of the tools, but that is far better than having to completely re-write the tools.
David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Timothy Shea (Apr 27)
- Message not available
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)