Firewall Wizards mailing list archives
Re: Evolution of Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 12 Mar 2004 00:04:16 -0500
Application proxy firewalls run based on the applications. Example new application comes in market again you have to write new application proxy .
By the way, many of us "old school" proxy firewall guys think this is one of the main value propositions for a proxy. It means that a set of security eyes are focused (however briefly) on the protocol that is being gatewayed. This often pays huge dividends because it seems that most app-protocols are braindamaged. I remember when Dave Dalva at TIS did some assessment (as part of our HTTP proxy design) on the NCSA "Mosaic" web browser and found some absolute howlers of security holes (coded by some genius named "Andreeson"...) -- this was stuff that everyone else had just rushed into production with their screening and "stateful multi-blahblah packet blah" firewalls. When I first started looking at FTP in '89/90 to build my first FTP proxy, I realized FTP bounce attacks were possible, etc, etc. Another BIG value of proxies is that they can implement only subsets of a protocol. Whereas you actually had to try to build a reduced instruction set FTPD to make a secure(ish) FTP server you could stick a proxy in the way and only allow RETR and PORT with the destination equal to the client address. Or you could implement a bare minimum of an SMTP protocol, as another example. It saves you having to understand all the security properties of the entire app-protocol stack - which is sometimes impossible with today's braindamaged protocols. (e.g.: Anyone understand all of SMB?)
3. Performance.
This is largely an artifact of popular implementations rather than a "must be" - I saw some very cool demoes of one of the Seaway gig-networking app card the other day. It does TCP termination and what we'd call "transparent proxying" (with IP scrubbing thrown in) at 4 gigs/sec. That's with the card acting as both sides of a TCP stack, just like ye olde proxy firewall used to do. You could write a proxy atop that puppy to process the app-layer session commands and make a "stateful blah multi-level poo poo blah blah" firewall look like a paralytic centipede in comparison. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Evolution of Firewalls, (continued)
- Re: Evolution of Firewalls Christian Kreibich (Mar 11)
- Re: Evolution of Firewalls ArkanoiD (Mar 09)
- Re: Evolution of Firewalls Patrick M. Hausen (Mar 11)
- Re: Evolution of Firewalls Mikael Olsson (Mar 11)
- Message not available
- Re: Evolution of Firewalls ArkanoiD (Mar 11)
- vpn end-point Shimon Silberschlag (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 09)
- Re: Evolution of Firewalls Devdas Bhagat (Mar 11)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 12)
- Re: Evolution of Firewalls ArkanoiD (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 18)