Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: ArkanoiD <ark () eltex net>
Date: Thu, 28 Apr 2011 01:12:59 +0400
On Wed, Apr 27, 2011 at 01:52:48PM -0700, David Lang wrote:
I think there is some room for a HTTP or XML firewall checker to be implemented and satisfy a lot of needs (technical needs that is, when management makes a decision that "all firewalls are going to be Cisco" or even "all firewalls must be commercial appliances" that trumps all technical issues), but right now I am not aware of any free tools in these spaces, completely ignoring the 'learning modes' of many of the commercial offerings.
At the moment I am trying to offload non protocol-related http checks to external ICAP filters.. For XML, I have some raw prototype, but I do not like the fact it is based on libxml2 and inherits all potential vulnerabilities (as it is a huge piece of code) and still there is a lack of automated tool that can be used to "formalize" "normal" xml flow to check for anomalies later. For several well-documented protocols it is not needed, but aiming at SOA it is probably a must :-(
openfwtk hasn't hit this yet for me as the key thing that I use FWTK for is the authenticated proxies and the last I checked it doesn't have an authsrv equivalent (or the ability for it's proxies to tie in to an authentication source).
You must be missing something, authsrv is the part that required several fixes, so it is there for sure, a few years at least and it is really improved much. Multiple groups per user are allowed, authentication sources may be checked against netperm-table (you may write rules that restrict authentication to a given proxy, or a given host), unix local socket is supported as transport to avoid writing complicated "loopback prevention" rules, etc etc. I am thinking about adding radius and/or pam backends support, but still had no time to implement that.
openfwtk also isn't the complete solution that Arknoid painted it to be, for many things it just says 'use tool X', which is a good thing to avoid re-inventing the wheel, but it doesn't result in the firewall API that he is looking for.
Unfortunately it still is not :-( Lack of resources, that's is. Reimplementing full IMSpector, GreenSQL and privoxy functionality is not non-trivial, it is just time consuming. Until that you need extra tools. There is noting wrong in the fact you need other tools that are outside OpenFWTK scope, though, like Prelude, log analyzers, etc. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? Timothy Shea (Apr 27)
- Message not available
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)