Firewall Wizards mailing list archives
Re: Recommended Open Source Proxy Firewalls
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 9 Jul 2007 20:25:19 +0200
Hi, all! On Sun, Jul 08, 2007 at 09:34:22AM -0700, Mathew Brown wrote:
Hi, I just finished reading Marcus Ranum's very interesting paper - http://www.ranum.com/security/computer_security/editorials/deepinspect/index.html - comparing "deep packet inspection firewalls" with "proxy firewalls" and was interested in investigating open source "proxy firewalls". Do open source proxy firewalls even exist, and if so, which would you recommend and why? Thank you for your help.
Well, IMHO this question is not a simple one to answer, because as soon as I'm thinking about the first fact I might want to tell you, I feel like opening Pandora's box ;-) Where to start ..? OK, first: I do not know of any more or less polished "product" that would fit the term "Open Source Application Level Gateway" and meet today's standards. Go and get a copy of "Firewalls and Internet Security" by Steve Bellovin and Bill Cheswick. It tells you almost everything you need to know to build your own. At least it will tell you all the principles and concepts. They have not changed that much in the last years, despite vendors hyping a new "technology" every other year or so. The problem with real application level gateways is: you need to "support" a whole bunch of applications that are inherently insecure. So while I believe that you can build a reasonably strong proxy for HTTP, because the protocol is ubiqitous, reasonably well understood, and there are a lot of plugins for e.g. the Squid proxy, that implement MIME filtering, virus checking ..., for many other real world applications you are out of luck. Reason being that the protocols themselves are propriatary. Which is a bad thing when you think about security. Still they exist and people will want to run them through your firewall and - and this is the most important point - if they are not completely brain washed by the security industry, they will expect the firewall (i.e. the particular proxy) to know what it's doing. E.g. an Oracle proxy for database access over the net could only permit certain configurable databases (SIDs in Oracle speak) to be accessed by a certain client. You will probably need to sign an NDA with Oracle to get enough information to wactually go and write such a proxy. And even if you figure it out yourself, they might sue you ;-) So if you insist on using open source you end up with a "TCP plug" proxy. You could just use a static packet filter with a little bit of "SYN/ACK/established" brains instead. There really isn't that much difference, save possibly IP fragment tricks and similar low level stuff. Unfortunately the majority of application layer firewall vendors discredited themselves years ago, shipping products that had advanced understanding of the underlying protocol only for some simple and common stuff: HTTP, FTP, Telnet, End of List. Even Gauntlet 6.0 implemented the HTTPS "proxy" as a simple TCP plug. As I said, there's probably nothing won by this. IIRC, Marcus once called that the "dirty little secret" of ALG vendors. Gauntlet was better than a simple NAT gateway, though, because of its "default deny" policy instead of "anything initiated from inside must be 'good'". But not much. At least not if matched against today's threats which are mostly targeted at the application. I'm selling a particular ALG (Sidewinder by Secure Computing) and to most potential customers I have to explain these concepts carefully and in depth, and demonstrate just how many filtering capabilities my product really has - because they have been trained into thinking that firewalls are about permitting or denying "ports". E.g. the Sidewinder's HTTPS proxy enforces a proper TLS handshake when the connection is initiated. It cannot work magic, so once the encryption is in place, it's just as blind about the content as a plug, but at least it enforces protocol. So: Skype does not work through a Sidewinder in default configuration. I consider that a feature. Skype uses a propriatary encrypted protocol over port 443, because most packet filtering firewalls or adaptive deep inspection whatever thingies just leave that port wide open for everything. And you can add SSL decryption and man-in-the-middle your connections to do real content inspection even on HTTPS. I don't want to just endorse Sidewinder's merits, I just want to give you a picture of what it takes to build an application level gateway that matches today's threats. And that's for every single application! You need an MS-SQL proxy that understands MS-SQL. Want netmeeting? You need a proxy that speaks H.323 and T.120. As I said ... Pandora's box. So, for historical and technical studies, you could look here: http://www.fwtk.org/ But don't expect it to match up against Sidewinder or Cyberguard or other commercial offerings. And as much as I prefer Sidewinder over every competing product I've seen so far: it still does much too little! I'd love to have an HTTP proxy that takes a set of regular expressions to match against URLs that are permitted to be fetched from a protected web server and denies everything else. Just as a start. I can think of many more things an ALG could do. ;-) HTH, Patrick -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info () punkt de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Recommended Open Source Proxy Firewalls Mathew Brown (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Patrick M. Hausen (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Dave Piscitello (Jul 09)
- Re: Recommended Open Source Proxy Firewalls ArkanoiD (Jul 10)
- Re: Recommended Open Source Proxy Firewalls Gumennik, Mark J. (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Jon Sabo (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Farrukh Haroon (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Alan Young (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Magosányi Árpád (Jul 10)
- Re: Recommended Open Source Proxy Firewalls Jon Sabo (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Patrick M. Hausen (Jul 09)
- Re: Recommended Open Source Proxy Firewalls Paul Melson (Jul 09)
- <Possible follow-ups>
- Re: Fwd: Recommended Open Source Proxy Firewalls Mathew Brown (Jul 09)