Firewall Wizards mailing list archives
Re: Transparent vs. Non-transparent AGs/SPFs/whatever
From: Woody Weaver <woody () wiltelnsi com>
Date: Thu, 24 Sep 1998 13:32:45 -0700
At 03:21 PM 9/22/98 -0700, Ryan Russell wrote: [...]
So here's my question: If I want transparency, am I essentially stuck trying to determine protocol strictly by port number? If I want to permit people out to arbitrary port numbers, am I stuck with the equivalent of a circuit-level proxy? Ryan
Are we speaking theoretically? You pose a question
If I've got a transparent proxy, or some SPF, how is it supposed to know that when I connect to port 2300, I want the telnet protocol instead of HTTP, FTP, or something else?
You can use the "oh, its you, Bob" approach: poll the users, find out that Bob occasionally talks to some.host:2300 using telnet, and then add the state to your AG that connections that are identified as coming from Bob to some.host on port 2300 should use the telnet proxy to connect. The reason that transparent proxies can "get away" with using a telnetd proxy to intervene in conversations on port 23 is (1) that they have been given information that a telnet session is about to take place, and (2) they have been given authority to monitor that telnet session and ensure that the only information passed complies with the expected protocols of telnet. But the guts of your question are based in
There are obviously some clues in the data stream as to what the protocol is, but trying to figure it out on the fly won't scale very well.
It is necessary and sufficient that the AG acquire the information on the nature of the traffic the user is trying to invoke, and acquire the authority to monitor and moderate that traffic. If you have a complete list of protocols that users are permitted, and can unambiguously assign them based upon information available to the AG, and have application proxies for each of those protocols, then yes you can do what you want. Note that "information available to the AG" can include table based information (i.e. the note that Bob uses telnet to connect to FW1 on 259 at partner.firewall.com) or it can include transaction state (i.e. after the handshake the remote side sent us a "login:" prompt) or it can include anything else you can think of, including a non-transparent butler on the client workstation that signals the AG what the user is trying to do. Comparing this against the effort of non-transparent proxies is left as an exercise for the reader. :) --woody -- Robert Wooddell Weaver email: woody () wiltelnsi com Network Engineer voice: 510.358.3972 Williams Communication Data Group pager: 510.702.4334
Current thread:
- Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 23)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)
- Re: why isn't there a newer linux fw-howto Stefan Laudat (Sep 25)
- Re: why isn't there a newer linux fw-howto Kevin Steves (Sep 29)
- RE: why isn't there a newer linux fw-howto Andy Burns (Sep 30)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Woody Weaver (Sep 25)
- <Possible follow-ups>
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)