RE: What is a proxy?

["Andreas Haug" <andreas.haug () this net>]

The same topic came up on the firewall list a year ago. Back then I asked
(if I remember correctly) in essence, if we, as a security community, should
_demand_ vendors to publish what kind of proxy they are selling.  Frederick
M Avolio <fred () avolio com> told me, he would write up some "firewall
description criteria" but I have not heard of this, since. (Perhaps he is
reading this list and would like to comment; perhaps I missed his paper).

In any case, I still have the strong urge to get to know what these proxys
are. At least because this could make my life as an consultant easier. For
example: I had a Raptor/Axent/Symantec/whoever-owns-it-today Eagle firewall
set between two other application layer proxys. The HTTP Proxy didn't work
up until I gave it a default route and access to the DNS. There was no
functional need for either in that setup (really: the setup was designed in
a way that we could use a non-default-routing firewall with no connection to
the DNS.)

Or consider Firewall-1: If you "allow FTP", it just opens up Port 21 like a
plug-gw. Makes the AOL Messenger users happy. One has to set it to "allow
FTP: get & put *" to activate the 'security server' and prevent abuse of the
FTP port. And remembering last year's revelations about creative use (read:
abuse) of the FTP PORT command...

There are some problems in proxys doing "more application layer" things but
in any case, as I said above, I think it is very important to know what you
buy and what you use. I can't answer your question apart from the two things
above, but I second your question. Perhaps we could collect the knowledge of
our list members, write a petition to the vendors, and put up a web page?

Another idea: Why shouldn't an IDS monitor for creative protocol (ab-)use?
If we allow outbound FTP, why shouldn't the IDS check it it's really FTP?
During an IDS test, BI-Sentry told me about "Long FTP command" although it
could have told me something like "Hey, this thing on Port 21 doesn't look
like FTP. Perhaps you might want to check your firewall settings or tell me
if this is ok." (on the other hand, RealSecure just ignord it, perhaps
thinking "if it doesn't look like FTP, then there is no server to attack").
The goal would be to have an "external application layer protocol verifyer"
to support the plug-gw-like firewall (which one has to use because of
performance or company policy reason).

andreas.

P.S.: Robert: Last week, I sent in a feature request for
strict-protocol-checking for FTP, HTTP, HTTPS and HBCI in BlackIce. Perhaps
someone if already working on it? ;-)

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Robert Graham
Sent: Wednesday, January 24, 2001 12:45 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] What is a proxy?

[...]
My question is this: has anybody done a review of the proxies out there
(specifically HTTP, SMTP, POP3, etc.) that measures the degree to which the
proxy service "cleanses" information passing through it? In the POP3 space,
I found at least 10 different proxies; I have no idea what features any of
them have, I suspect most are just port forwarders once they proudly display
their own helo banner. I would suspect that a few are stateless line
cleansers like my first design, but I can't imagine that many implement full
protocol state machines. (Again, I'm odd that way -- my answer is typically
"use a full protocol state machine", now what was your question?)

Likewise, do people consider this an important issue? I am deathly afraid of
data-driven attacks -- this is one of the Big Holes in security that people
don't talk much about and frankly firewalls don't really protect against
(much like the PCWeek hacking contest where an HTTP server was compromised
despite an HTTP proxying firewall in front of it).
[...]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards