Re: Stateful Proxying?

[David Lang <david.lang () digitalinsight com>]

a lot of it depends on the particular proxy or stateful filter you are
talking about.

there are proxies that don't look at the content of the payload at all,
they still break the connection into two parts so whatever games the
source playes with IP header values don't get to the destination (you do
have to have the firewall stack able to withstand such attacks in this
case)

other proxies go all the way up the stack, a box running sendmail as an
relay is a proxy for SMTP (not a very secure one, but a proxy), just as a
box running bind is a proxy for DNS. these proxies definantly look at
everything, even though they probably don't check for RFC/rules compliance
very well

a lot of stateful filter firewalls do very little other then check port
info against a list of current connections, some do a lot more, although
most of the time they have helper programs to do the most in-depth
checking of a protocol (known on other firewalls as proxies, but as many
of these vendors have spent a lot of money convincing customers that
proxies are slow and unreliable they frequently call them 'sercurity
servers' or something similar)

you really need to decide what protocols you would like to pass through
the firewalls, and then start looking at what the firewalls will do with
that particular set of protocols. when you do this include those that you
would like if they were safe to do, sometimes a vendor will surprise you
(one vendor for example has a ping proxy that clears the payload of ping
and ping reply packets so that they are no longer a easy means of covert
communications, the same vendor has a CIFS proxy that lets you disable
specific fucntions through it. It so happens I trust CIFS so little that I
still don't allow it through, but I could see cases where it could be
helpful)

David Lang

On Mon, 17 Mar 2003, Small, Jim wrote:

> Date: Mon, 17 Mar 2003 17:34:32 -0500
> From: "Small, Jim" <jim.small () eds com>
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Stateful Proxying?
>
> While talking about Firewalls and Proxies, I was asked, can you have a
> "Stateful Proxy"?
>
> It seems like a simple enough question, but I was not sure how to answer it.
> Typically a Proxy Server doesn't forward IP packets, so it must listen for
> any service it proxies and then "proxy" the service.  This almost implies
> state, doesn't it?  But do Proxy servers watch ack and sequence numbers or
> "keep state" like a stateful packet filter does?  Am I thinking about this
> correctly?
>
> If a Proxy Server is "stateful" then the difference between a stateful
> packet filter and a stateful proxy becomes small indeed.  Would you then
> classify the difference as whether or not the proxy server breaks the
> connection/circuit and how for up the OSI model it checks and how thoroughly
> it checks the protocols for RFC/rules conformance?
>
> I would greatly appreciate any feedback or pointers.
>
> Thanks,
>    <> Jim
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards