Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: on-the-fly-analysis vs. proxy rewrites
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Fri, 10 Feb 2006 09:21:02 -0600

On Friday, February 10, 2006 8:55 AM, Darren Reed so wrote: 
On Wednesday, February 08, 2006 5:39, PM Jeff Behm wrote:
On Wednesday, February 08, 2006 1:27 AM, Darren Reed so wrote:

On Tuesday, February 07, 2006 12:50 PM, Dave Piscitello so spake:

An interesting exercise for this list - possibly a new thread? -
"what security policies are best enforced by implementing
analysis" versus "what security policies are best enforced by

How is one different to the other ?

How is a proxy not doing something "on the fly" ?

My sometimes jaded view is that the proxy rewrites the traffic to
conform to whatever the proxy writer wrote. Hopefully, that matches
with some standard protocol to _provide_ the security. I.E. You get
security from the proxy writer having rewritten your traffic. It's
*something,* true, but it's not "checking" anything. It's just not
re-writing any *bad* stuff.

That is still "on the fly".  The original question (however flawed it
was), wanted to compare "on the fly" vs proxy.  I'd assert that in
nearly all cases, except for SMTP, the proxy IS "on the fly".

Hmmmm...contemplating...should I respond or let this die?...It's only a
small technical point I'm trying to make here anyway...

I can see how one could assert that, but I feel you're leaving off a
very important and meaning-changing word from the OP's question. That
word is "analysis." Proxy stuff *is* on-the-fly, but (IMHO) it is *not*
on-the-fly-analysis, which is what the OP asked to compare. It's just
taking a request and rewriting it to conform to the proxy writer's
interpretation of the standard protocol (as MJR eloquently pointed out,
(paraphrased) "The proxy writer should only implement that part of the
protocol that is absolutely necessary, i.e. a subset of the entire
protocol.").  Quote from MJR from another post... "<mjr>So a proxy
serves not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.</mjr>"

On the fly *analysis* (to me) means looking at the data in the different
layers and verifying they are "correct" (whatever that means) against
the standard. I.E. Analyzing the data. The proxy parses the data and
rewrites it based on the proxy writer's implementation, but the proxy
isn't "enforcing" or analyzing the data. It's just rewriting it to

A subtle, but important difference that I tried to make when I said
"It's doing something, but it's not checking anything." I should have
changed "checking" to "analyzing." We're really a bit OT chasing a
tangent here, and I almost didn't respond, but I believe it is a
important distinction to make. Also, I'm not sure anyone has really
answered the OQ...

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]