Re: Stateful Proxying?

[Mike Scher <mscher () neohapsis com>]

On Mon, 17 Mar 2003, Paul D. Robertson wrote:
> On Mon, 17 Mar 2003, Small, Jim wrote:
> > While talking about Firewalls and Proxies, I was asked, can you have a
> > "Stateful Proxy"?
>
> True proxies are stateful by their nature, they do TCP state on the hosts'
> stack, and application level state on the client and server sides of their
> code.

A proxy indeed means a stand-between, pretending to be a server to the
client, and a client to the server.  How DEEP it goes beyond L4 (5-7) is a
matter of, as Paul says, implementation.  But a proxy by definition stands
between and breaks the connection between the two sides of a protocol
conversation.

It has to imply state or we're going into marketing mode on the term
proxy.  Perhaps we'd like to redefine state and also protocol while we're
at it?

> Sequence numbers are a part of the host stack on a proxy, so yes, it does
> indeed keep track of them (assuming the stack isn't horribly broken.)

Heh.  A proxy is generally implemented as a userland program on a
man-in-the-middle (MITM) host, which may also act for traffic-control as
more than a next-hop router.  If the host stack is poorly-implemented, the
proxy may in effect lower security.  I've seen a commercial proxy firewall
ship on a Linux kernel release that accidentally packaged a test TCP
initial sequence number (ISN) implementation (predictably additive; for
test purposes).  As a result, the proxy firewall made the TCP sessions
MORE subject to hijack/spoof abuse.

> > If a Proxy Server is "stateful" then the difference between a stateful
> > packet filter and a stateful proxy becomes small indeed.  Would you then
>
> Like all things computerish, it depends a lot on implementation.

A Stateful packet filter, at least in common parlance (is there any other
definition?) goes to L4 -- at BEST.  See the NWC sidebar from back in late
2001 testing various "stateful" firewall implementations
<http://www.networkcomputing.com/1223/1223f26.html> for an idea of how
much variance there can be just at L4.  A proxy covers at least through
L4, and often has protocol-scrubbing capabilities through detailed
portions of the protocol's application layer.  "Depends a lot on
implementation."

> Proxies, filters and hybrids all do differing things, sometimes on the
> same system for different protocols.  There's so much variance in
> different systems that it's really a bad idea to try to generalize at this
> point.

Indeed.  That's a great point -- and don't trust marketing uses of the
terms.  Instead, drill down and ask what the firewall DOES.  Don't accept
ill-defined "technical" terms in response to your questions if you need
specific answers.

> Don't forget though that some RFCs are better broken from a security
> context (like parts of FTP if you must allow it at all.)

Spot on.

      -M

-- 
Michael Brian Scher     |     Director, Neohapsis Labs
mscher () neohapsis com    |     General Counsel
Fax: 773-394-8314       |     Vox: 773-394-8310
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards