mailing list archives
RE: on-the-fly-analysis vs. proxy rewrites
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 08 Feb 2006 19:21:11 -0500
Behm, Jeffrey L. wrote:
My sometimes jaded view is that the proxy rewrites the traffic to
conform to whatever the proxy writer wrote.
Typically, a proxy also only carries a _subset_ of a full protocol.
That's based on a combination of observation and the designer's
assessment of what is "necessary" and "safe". For example,
a proxy might implement basic SMTP for mail collection and
trap all ESMTP commands to a subroutine that only knows
how to return a "command unknown" error. A boundary DNS
proxy might know how to issue queries but might not even
contain code that knows how to do a zone transfer - and
by omitting that code entirely you can be fairly confident
that any vulnerabilities in that code-branch will not work
against the proxy or systems behind it.
A gateway device has absolutely no reason to implement a
full application protocol stack beyond the absolute minimum
necessary to get the data back and forth. So a proxy serves
not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com