Firewall Wizards mailing list archives
Re: Proxy and Stateful together ??
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sat, 16 Nov 2002 11:05:40 -0500 (EST)
On Fri, 15 Nov 2002, Bennett Todd wrote: [Moderator's note: There have been lots of product recommendations, I hope the original questioner will summarize them all for the list early next week, so we don't have a flood of "I like $product" messages. Vendors are encouraged to e-mail the original questioner directly should they feel the requirements are met with their respective products.]
2002-11-15-10:19:51 Jean Caron:I'd really like to find a true hybrid firewall doing both Application Level Proxy and Stateful Packet Filtering, with the flexibility of doing either or.My favourite bastion architecture! Pick open source base OS of choice; I happen to like Linux, but any of the *BSDs work as well. Use its builtin stateful packet filtering, mix and match however tastes best with an assortment of open source proxies of various sorts. Wherever possible use really well-written, tightly-secured, high-level application proxies. The gold standard of this sort would be, for SMTP, qmail and Postfix, and for DNS, djbdns. All the others are a step down. Given the difficulty finding really first-rack top quality secure application-layer proxies, I think SELinux is coming to be an exceedingly attractive platform for building these gizmos, since it offers some helpful tools for sandboxing less-perfectly-trusted daemons. I'd also be tempted to mix in some of the canary stuff from Immunix (StackGuard and all that).
I'm curious about why you'd chose SELinux over RSBAC given several things: 1. SELinux may end up patent encumbered from the DTE stuff. 2. RSBAC is much older and therefore has an easier to evaluate history. 3. RSBAC seems, at least on the face of it to be much easier to administer. 4. Recent RSBAC kernels have a jail facility built right in. 5. The Goverment wasn't involved in RSBAC ;) Would you mind sharing your rationale?
Might park a snort on it while I was about it, too.
Hmmm, isn't that adding a level of bloatedness that's a bit extreme?
The Olde Fashioned way to pull this off is of course to sandbox the less-trustworthy application proxies out in separate physical boxes out on DMZs. Nice if you can afford it:-). -Bennett
Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Proxy and Stateful together ?? Jean Caron (Nov 15)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 16)
- Re: Proxy and Stateful together ?? Paul D. Robertson (Nov 16)
- Re: Proxy and Stateful together ?? Jean Caron (Nov 16)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? R. DuFresne (Nov 18)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? Jean Caron (Nov 18)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? Paul D. Robertson (Nov 16)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 16)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? OpenBSD Paul D. Robertson (Nov 16)