Gabriele Buratti wrote:
> Dave Piscitello wrote:
> > If you take issue with this, consider
> > that some companies who bash proxies as being performance inhibitors
> > bolt SSL VPNs onto their firewalls.
>
> Yep ! You still need proxies to do this SSL stuff as long as to hook an
> antivirus for example.
> Remember the old networking rule "switch when you can, route when you
> must" ? In this field could be read as "analize on-the-fly when you can,
> rewrite with a proxy when you must".
An interesting exercise for this list - possibly a new thread? - is
"what security policies are best enforced by implementing "on-the-fly
analysis" versus "what security policies are best enforced by proxy
rewrites".
> You have to use both approaches here: let's say our knowledgebase is the
> definition of http protocol as it should be. So, if you find malformed
> http (=non compliant) you drop it. What if you find some instant
> messaging traffic (you don't want in your network) that is http compliant ?
Apply recursion. Because different traffic is now multiplexed over a
well-known port, in many cases it's not enough to only look for
malformed http traffic. We have to whether the correctly formed traffic
is allowed or disallowed by policy. What makes this more problematic
here than at the link and IP levels is that we can't always rely on
unique discriminators like Ethernet/SNAP TCP/UDP port, and IP PROTOcol.
So you again have to think about on-the-fly versus rewrite. You again
have to think about the effects of a default deny all at the end of your
allow policies (e.g., I allow protocols x, y, and z over http/80 and
deny all non-compliant http as well as any protocol but x, y, and z).
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 07 2006
Intro
