Firewall Wizards mailing list archives
Re: Stateful Proxying?
From: David Lang <david.lang () digitalinsight com>
Date: Mon, 17 Mar 2003 18:25:51 -0800 (PST)
a lot of it depends on the particular proxy or stateful filter you are talking about. there are proxies that don't look at the content of the payload at all, they still break the connection into two parts so whatever games the source playes with IP header values don't get to the destination (you do have to have the firewall stack able to withstand such attacks in this case) other proxies go all the way up the stack, a box running sendmail as an relay is a proxy for SMTP (not a very secure one, but a proxy), just as a box running bind is a proxy for DNS. these proxies definantly look at everything, even though they probably don't check for RFC/rules compliance very well a lot of stateful filter firewalls do very little other then check port info against a list of current connections, some do a lot more, although most of the time they have helper programs to do the most in-depth checking of a protocol (known on other firewalls as proxies, but as many of these vendors have spent a lot of money convincing customers that proxies are slow and unreliable they frequently call them 'sercurity servers' or something similar) you really need to decide what protocols you would like to pass through the firewalls, and then start looking at what the firewalls will do with that particular set of protocols. when you do this include those that you would like if they were safe to do, sometimes a vendor will surprise you (one vendor for example has a ping proxy that clears the payload of ping and ping reply packets so that they are no longer a easy means of covert communications, the same vendor has a CIFS proxy that lets you disable specific fucntions through it. It so happens I trust CIFS so little that I still don't allow it through, but I could see cases where it could be helpful) David Lang On Mon, 17 Mar 2003, Small, Jim wrote:
Date: Mon, 17 Mar 2003 17:34:32 -0500 From: "Small, Jim" <jim.small () eds com> To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Stateful Proxying? While talking about Firewalls and Proxies, I was asked, can you have a "Stateful Proxy"? It seems like a simple enough question, but I was not sure how to answer it. Typically a Proxy Server doesn't forward IP packets, so it must listen for any service it proxies and then "proxy" the service. This almost implies state, doesn't it? But do Proxy servers watch ack and sequence numbers or "keep state" like a stateful packet filter does? Am I thinking about this correctly? If a Proxy Server is "stateful" then the difference between a stateful packet filter and a stateful proxy becomes small indeed. Would you then classify the difference as whether or not the proxy server breaks the connection/circuit and how for up the OSI model it checks and how thoroughly it checks the protocols for RFC/rules conformance? I would greatly appreciate any feedback or pointers. Thanks, <> Jim _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Stateful Proxying? Small, Jim (Mar 17)
- Re: Stateful Proxying? David Lang (Mar 17)
- Re: Stateful Proxying? Paul D. Robertson (Mar 17)
- Re: Stateful Proxying? Mike Scher (Mar 17)
- Re: Stateful Proxying? Darren Reed (Mar 18)
- Re: Stateful Proxying? David Lang (Mar 18)
- Re: Stateful Proxying? Darren Reed (Mar 18)
- Re: Stateful Proxying? David Lang (Mar 18)
- <Possible follow-ups>
- Re: Stateful Proxying? Marcus J. Ranum (Mar 17)