Firewall Wizards mailing list archives
Re: Stateful Proxying?
From: Mike Scher <mscher () neohapsis com>
Date: Mon, 17 Mar 2003 21:15:13 -0600 (CST)
On Mon, 17 Mar 2003, Paul D. Robertson wrote:
On Mon, 17 Mar 2003, Small, Jim wrote:While talking about Firewalls and Proxies, I was asked, can you have a "Stateful Proxy"?True proxies are stateful by their nature, they do TCP state on the hosts' stack, and application level state on the client and server sides of their code.
A proxy indeed means a stand-between, pretending to be a server to the client, and a client to the server. How DEEP it goes beyond L4 (5-7) is a matter of, as Paul says, implementation. But a proxy by definition stands between and breaks the connection between the two sides of a protocol conversation. It has to imply state or we're going into marketing mode on the term proxy. Perhaps we'd like to redefine state and also protocol while we're at it?
Sequence numbers are a part of the host stack on a proxy, so yes, it does indeed keep track of them (assuming the stack isn't horribly broken.)
Heh. A proxy is generally implemented as a userland program on a man-in-the-middle (MITM) host, which may also act for traffic-control as more than a next-hop router. If the host stack is poorly-implemented, the proxy may in effect lower security. I've seen a commercial proxy firewall ship on a Linux kernel release that accidentally packaged a test TCP initial sequence number (ISN) implementation (predictably additive; for test purposes). As a result, the proxy firewall made the TCP sessions MORE subject to hijack/spoof abuse.
If a Proxy Server is "stateful" then the difference between a stateful packet filter and a stateful proxy becomes small indeed. Would you thenLike all things computerish, it depends a lot on implementation.
A Stateful packet filter, at least in common parlance (is there any other definition?) goes to L4 -- at BEST. See the NWC sidebar from back in late 2001 testing various "stateful" firewall implementations <http://www.networkcomputing.com/1223/1223f26.html> for an idea of how much variance there can be just at L4. A proxy covers at least through L4, and often has protocol-scrubbing capabilities through detailed portions of the protocol's application layer. "Depends a lot on implementation."
Proxies, filters and hybrids all do differing things, sometimes on the same system for different protocols. There's so much variance in different systems that it's really a bad idea to try to generalize at this point.
Indeed. That's a great point -- and don't trust marketing uses of the terms. Instead, drill down and ask what the firewall DOES. Don't accept ill-defined "technical" terms in response to your questions if you need specific answers.
Don't forget though that some RFCs are better broken from a security context (like parts of FTP if you must allow it at all.)
Spot on. -M -- Michael Brian Scher | Director, Neohapsis Labs mscher () neohapsis com | General Counsel Fax: 773-394-8314 | Vox: 773-394-8310 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Stateful Proxying? Small, Jim (Mar 17)
- Re: Stateful Proxying? David Lang (Mar 17)
- Re: Stateful Proxying? Paul D. Robertson (Mar 17)
- Re: Stateful Proxying? Mike Scher (Mar 17)
- Re: Stateful Proxying? Darren Reed (Mar 18)
- Re: Stateful Proxying? David Lang (Mar 18)
- Re: Stateful Proxying? Darren Reed (Mar 18)
- Re: Stateful Proxying? David Lang (Mar 18)
- <Possible follow-ups>
- Re: Stateful Proxying? Marcus J. Ranum (Mar 17)