Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: on-the-fly-analysis vs. proxy rewrites

RE: on-the-fly-analysis vs. proxy rewrites

From: Behm, Jeffrey L. <BehmJL_at_bvsg.com>
Date: Fri, 10 Feb 2006 09:21:02 -0600

>On Friday, February 10, 2006 8:55 AM, Darren Reed so wrote:
>>On Wednesday, February 08, 2006 5:39, PM Jeff Behm wrote:
>> > On Wednesday, February 08, 2006 1:27 AM, Darren Reed so wrote:
>>
>> >> On Tuesday, February 07, 2006 12:50 PM, Dave Piscitello so spake:
>> >>
>> >> >An interesting exercise for this list - possibly a new thread? -
is
>> >> >"what security policies are best enforced by implementing
>> "on-the-fly
>> >> >analysis" versus "what security policies are best enforced by
proxy
>> >> >rewrites".
>> >
>> >How is one different to the other ?
>> >
>> >How is a proxy not doing something "on the fly" ?
>>
>> My sometimes jaded view is that the proxy rewrites the traffic to
>> conform to whatever the proxy writer wrote. Hopefully, that matches
up
>> with some standard protocol to _provide_ the security. I.E. You get
the
>> security from the proxy writer having rewritten your traffic. It's
doing
>> *something,* true, but it's not "checking" anything. It's just not
>> re-writing any *bad* stuff.
>
>That is still "on the fly". The original question (however flawed it
>was), wanted to compare "on the fly" vs proxy. I'd assert that in
>nearly all cases, except for SMTP, the proxy IS "on the fly".

Hmmmm...contemplating...should I respond or let this die?...It's only a
small technical point I'm trying to make here anyway...

I can see how one could assert that, but I feel you're leaving off a
very important and meaning-changing word from the OP's question. That
word is "analysis." Proxy stuff *is* on-the-fly, but (IMHO) it is *not*
on-the-fly-analysis, which is what the OP asked to compare. It's just
taking a request and rewriting it to conform to the proxy writer's
interpretation of the standard protocol (as MJR eloquently pointed out,
(paraphrased) "The proxy writer should only implement that part of the
protocol that is absolutely necessary, i.e. a subset of the entire
protocol."). Quote from MJR from another post... "<mjr>So a proxy
serves not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.</mjr>"

On the fly *analysis* (to me) means looking at the data in the different
layers and verifying they are "correct" (whatever that means) against
the standard. I.E. Analyzing the data. The proxy parses the data and
rewrites it based on the proxy writer's implementation, but the proxy
isn't "enforcing" or analyzing the data. It's just rewriting it to
conform.

A subtle, but important difference that I tried to make when I said
"It's doing something, but it's not checking anything." I should have
changed "checking" to "analyzing." We're really a bit OT chasing a
tangent here, and I almost didn't respond, but I believe it is a
important distinction to make. Also, I'm not sure anyone has really
answered the OQ...

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 19 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos