Re: Secure Computing Sidewinder?

[<lordchariot () embarqmail com>]

> > > Last time I played with ISA, it wasn't an application-layer gateway, it 
> > > was a bastardized SOCKS circuit-layer gateway.  That means it was doing 
> > > more to enforce what connected than what went through it.

> > I'd be interested/grateful if you could expand on that?

Historically, at the time of MS proxy 1 & 2, it was not a gateway routing
device. It was an http proxy, a SOCKS proxy and a WinSock proxy. 

The WinSock proxy needed a Windows client loaded into each and every client
PC. This was a shim into the WinSock TCP stack that intercepted and
forwarded IP packets to the MS Proxy server in a generic (SOCKS-like) way.
When the packet arrived at MS Proxy, there was a small set of firewall-like
enforcement rules that would allow or deny based on protocol/port/IP. Then
it would start an onward session from the Proxy to the destination and
forward the contents, much like SOCKS does. There was no application
inspection performed.

By using the shim into the TCP stack on the client, the application didn't
have to be proxy-aware or SOCKSified. However any other non-Windows client
was hosed and had to make sure they could go out via HTTP proxy or SOCKS.

I cut my teeth on TCP/IP and MS Proxy back in the day, but by the time ISA
came out (2000?), I had already moved on to a 'real' application-layer
firewall.

e² 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards