Vulnerability Development mailing list archives
Re: Information on Raptor
From: BGrubin () SCIENT COM (Ben Grubin)
Date: Thu, 24 Feb 2000 12:16:59 -0600
This sounds very much like you may want to look at Argus Systems "Gibralter" product. The foundation of it is a B2-secure kernel for Solaris, on top of which there is functionality for "security gateways" which perform very much the service you describe below, but utilize kernel-level compartmentalization to prevent the security single point of failure issue you talk about. Of course conglomerating services like this does eventually lead to a loss of performance as you do more and more complex proxying, but that's when you start splitting off separate hardware. --- Benjamin P. Grubin / bgrubin () scient com - PGP key available Infrastructure/Security Architect / mobile (617) 513-5978 fax (617) 585-3230 Scient -- Be Legendary / http://www.scient.com/ ticker://SCNT
-----Original Message----- From: Malikai [mailto:malikai () INTERACTIVEALIEN COM] Sent: Wednesday, February 23, 2000 1:27 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Information on Raptor On Tue, 22 Feb 2000, James Crooks wrote:I found that when I took the Raptor courses a few yearsago, the instructorsweren't from Raptor (3rd party contractors) and eitherdidn't fully understandthe Raptor designs or didn't agree with them. I did find that I got mis-information or incomplete information from theinstructor in a number ofinstances.This in fact was my case as well. After having been "trained" by a third party who apparently had "credentials" about the product, I did feel like I will still left in the cold. - If you can't do it, teach it.As an application gateway, Raptor can do more for you likechecking protocolsyntax (HTTP, SMTP, etc.) for valid traffic and denyingaccess if an invalidprotocol format is found. To be fast, packet filteringsystems can't inspectupper layer protocols to any great extent, so theyintrinsically provide lessprotection.I can certainly agree with this approach, in fact I believe it is certainly more "secure" for the protected systems. My only problem with this approach is that we are now using verry complex, nonmodular systems which do "too much", in my point of view as security gateways. Don't get me wrong here though, I believe that "stateful filtering" is certainly a high speed, and relatively simple way of approaching this, however it leaves you out of the water when it comes to most application level attacks. With this in mind, I believe that proxies should be individual, modular systems which all serve their own function. In fact, and I will continue this through to the entire security gateway (systems). To go for the "all round secure fantacy" I would also handle the VPN/encryption gateway in a seperate host as well. I think this would provide several benefits: 1. Ability to integrate both filtering and proxying into one security network. 2. Speed and reliability of filtering 3. Application security of proxies (which is damn good with raptor, I might add) 4. Faster VPN functionality 5. Multiple points of policy implementation (has benefits and caveats) 5. No single point of failure in security mechanisms With the last issue, I found it verry hard to personally accept proxies which handle everything on their own. I imagine in a nightmare scenario that someone compromises the firewall through one of it's proxies. Then all of a sudden, your entire security gateway has been undermined. In a scenario when there is vpn traffic going through it as well, we have also put at risk the other sites connected.In Raptor 6.5 VPN/Tunnelled traffic is handled by the GSP(Generalized ServicePasser) with full logging support.Now this is a relief. I am unfortunately not verry familiar with the Raptor product, as it shows. And due to this I was verry weary about using it in VPN environments.Application proxies aren't for everyone: * Application proxy performance has a significantoverhead per connection(you've got to do twice the number of TCP connectionsjust for starters, andthen you get to the proxy verification, etc.) as wellas the overallinternal/external application response time profile -if you want or needsuper-fast then stay away from proxy (but you alsolose some applicationlevel security protection). * I don't think you can argue that a proxy external tothe firewall is anymore or less efficient than an internal one (you've tothe extra connectionto make anyway and and external box means anotherplatform and OS tosupport, not to mention another vendor...) * Offering services (including proxy) directly from thefirewall is aphilosophical issue and could easily take on theaspects of a religious war(just like UNIX/Linux vs NT!). * I'm not sure that you can categorically say thatinternal proxies decreasethe security of the gateway (I can spin some"interesting" port 80 DOS andother attacks straight thru a stateful inspection boxthat my proxy boxstops cold). /jcI agree 100% with all of these statements. I do however, belive that people (including myself) should understand the issues involved with proxy servers and the proxy vs. filter battles. I'm sure that people involved in both ends have verry important and useful points to make. Of course, this is assuming that people can communicate about the issues, and prevent valid argument from becoming flame wars. [= -Malikai
Current thread:
- Re: Single SignOn, (continued)
- Re: Single SignOn Simple Nomad (Feb 24)
- office 2k security bug? Torgeir Hansen (Feb 22)
- R: office 2k security bug? Raistlin (Feb 23)
- Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released Grzegorz Stelmaszek (Feb 23)
- Re: Information on Raptor James Crooks (Feb 21)
- Re: Information on Raptor David J Laumann (Feb 21)
- Re: Information on Raptor Marcelo Amaral - ALTAVISTA.NET (Feb 21)
- Re: Information on Raptor CL: Nelson, Jeff (Feb 24)
- Re: Information on Raptor IC&S - Eelco van Beek (Feb 25)
- Re: Information on Raptor Daniel Liebster (Feb 25)
- Re: Information on Raptor Ben Grubin (Feb 24)
- Dedicated vs "shared use" firewalls Forrest W. Christian (Feb 24)
- Buffer overflows on Netware 4x and 5x Roland Kool (Feb 28)
- Re: Dedicated vs "shared use" firewalls Anton J Aylward, CISSP (Feb 28)
- Dedicated vs "shared use" firewalls Forrest W. Christian (Feb 24)
- Re: Information on Raptor Crother, Mark (Feb 24)