Re: Gauntlet source IP address re-write question

["Bruce B. Platt" <bbp () comport com>]

At 12:36 PM 11/9/98 -0800, Christopher Michael wrote:
->At 11:40 AM 11/9/98 -0500, Joseph S D Yao wrote:
->>Raptor enables wholesale transparency of your network, letting people
->>outside route anything THEY want to anywhere on your network.  This is
->>why we don't like it and don't use it.  Gauntlet transparency does the
->>same thing, to some degree.
->
->Gauntlet transparency *only* means that packets addressed to a destination
->on the other side of the firewall are directed to the proxies.  It is
->typically used to allow users on the inside to use network applications
->without having to enter the firewall as a proxy server in their configs. 
->
->Transparency or not, you have to go through a proxy to get through Gauntlet
->(unless you've enabled packet filtering--which is a whole 'nouther story).
->The proxy rules determine what you have access to.  
->

To broaden this a bit.

Transparency can mean transparent operation both ways.  A truly flexible
firewall proxy can be set
up to allow transparency BOTH ways.  I.e., to allow any host on the red
network to connect
to any host on the blue net, or vice-versa.

One way to do this is by enabling rules in the packet screening daemon, like:

from interface blue to interface red tcp port xxxx proxy;
from interface red to interface blue tcp port xxxx proxy;

This sort of flexibility demands that the firewall administrator be
extremely careful to
create approprate and thoughtful .acl files and/or blacklist entries to
keep connections
under control with regular inspection of logs to be sure you get what you
expect.

Also, when one creates a transparent proxy, often the initial configuration
of the proxy as transparent
"inbound" (from red net to blue net) also implies transparent outbound as
well.  For example,
one can create a trasnaprent inbound proxy for POP-3 mail to allow people
outside a corporate firewall
to retreive their e-mail from the e-mail server in the blue-net.  Depending
on the firewall, once the inbound connection is established, outbound
traffic will flow as well, enabling in this case a full POP-3 dialogue.
More well known is the penchant for putting web-servers behind a
transparent inbound proxy so anyone on the red-net can access either a
specic web-server on the blue-net or a re-directing load-balancing router.

I won't go into the risks of what happens when someone manages to
compromise either the web servers or the POP mail server in these
scenarios, or whether this is a good strategy, I cite these as examples
only of getting two-way transparency when setting up one-way.

Regards


+--------------------------------------+
Bruce B. Platt, Ph.D.
Comport Consulting Corporation
78 Orchard Street, Ramsey, NJ 07446
Phone: 201-236-0505  Fax: 201-236-1335
bbp () comport com, bruce@ bruce.platt@