Re: Gauntlet adaptive proxies

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Rodney van den Oever, sie wrote:
> > > What do folks make of Gauntlet's adaptive proxies that got best of show at
> > > Networld+Interop?  As I understand it the proxies can be configured to
> > > switch over to packet filtering after the intitial connection has been set
> > > up thus preserving a lot of the security while increasing the speed.  
> >
> > Well, lets take the most basic (and most hated ? ;) example of FTP.
> > Something I have often thought of doing (and perhaps they do) is to
> > have your FTP proxy work as per FWTK but when it sees a PORT/PASV
> > command, it sets up the right filter rule(s) to allow direct throughput.
> >
> > In a similar fashion, you might have your HTTP proxy look at what would
> > be the HEAD of the HTTP conversation and examine that as necessary before
> > setting up rules to allow the rest of the data to flow without going through
> > the proxy.
>
> Isn't this exactly what CheckPoint's Security Servers do? They intercept
> the packet, examine the data, then allow the packets right through.

No, it isn't exactly what CheckPoint's Security Servers do.  Well, maybe
at a very `basic' and abstract level.

CheckPoint doesn't have proxies for a start, so all it does is either
pass or deny packets.  For Gauntlet, there is a fundamental difference
for the path taken by data in the HTTP example above.  For the first
20 or so, the packets are interpreted by the local kernel as being a
part of a local TCP connection, resulting in data being copied in/out
of a user-space proxy.  Once the proxy is happy, it tells the kernel to
just pass the rest of the packets through - basic pkt filtering.  There
is no longer any copying of data between kernel/user space, no local
interpretation of TCP packets, etc.

Darren