Firewall Wizards mailing list archives

Re: Evolution of Firewalls

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 12 Mar 2004 00:04:16 -0500

  Application proxy firewalls run based on the applications. Example new application comes in market again you have 
to write new application proxy .


By the way, many of us "old school" proxy firewall guys think this is one
of the main value propositions for a proxy. It means that a set of security
eyes are focused (however briefly) on the protocol that is being gatewayed.
This often pays huge dividends because it seems that most app-protocols
are braindamaged. I remember when Dave Dalva at TIS did some assessment
(as part of our HTTP proxy design) on the NCSA "Mosaic" web browser
and found some absolute howlers of security holes (coded by some genius
named "Andreeson"...)  -- this was stuff that everyone else had just rushed
into production with their screening and "stateful multi-blahblah packet blah"
firewalls. When I first started looking at FTP in '89/90 to build my first FTP
proxy, I realized FTP bounce attacks were possible, etc, etc.

Another BIG value of proxies is that they can implement only subsets
of a protocol. Whereas you actually had to try to build a reduced
instruction set FTPD to make a secure(ish) FTP server you could stick
a proxy in the way and only allow RETR and PORT with the destination
equal to the client address. Or you could implement a bare minimum
of an SMTP protocol, as another example. It saves you having to
understand all the security properties of the entire app-protocol stack -
which is sometimes impossible with today's braindamaged protocols.
(e.g.: Anyone understand all of SMB?)

3. Performance.


This is largely an artifact of popular implementations rather than
a "must be" - I saw some very cool demoes of one of the Seaway
gig-networking app card the other day. It does TCP termination
and what we'd call "transparent proxying" (with IP scrubbing
thrown in) at 4 gigs/sec. That's with the card acting as both
sides of a TCP stack, just like ye olde proxy firewall used to do.
You could write a proxy atop that puppy to process the app-layer
session commands and make a "stateful blah multi-level poo poo
blah blah" firewall look like a paralytic centipede in comparison.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Evolution of Firewalls, (continued)
- - - Re: Evolution of Firewalls Christian Kreibich (Mar 11)
    - Re: Evolution of Firewalls ArkanoiD (Mar 09)
    - Re: Evolution of Firewalls Patrick M. Hausen (Mar 11)
    - Re: Evolution of Firewalls Mikael Olsson (Mar 11)
    - Message not available
    - Re: Evolution of Firewalls ArkanoiD (Mar 11)
    - vpn end-point Shimon Silberschlag (Mar 18)
    - Re: Evolution of Firewalls Marcus J. Ranum (Mar 09)
  - Re: Evolution of Firewalls Chris Blask (Mar 09)
- Re: Evolution of Firewalls Chunduru Rama Krishna Prasad (Mar 09)
  - Re: Evolution of Firewalls Devdas Bhagat (Mar 11)
  - Re: Evolution of Firewalls Marcus J. Ranum (Mar 12)
    - Re: Evolution of Firewalls ArkanoiD (Mar 18)
    - Re: Evolution of Firewalls Marcus J. Ranum (Mar 18)
- RE: Evolution of Firewalls Melson, Paul (Mar 09)