Firewall Wizards mailing list archives

Re: Stateful Proxying?

From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 17 Mar 2003 21:37:46 -0500 (EST)

On Mon, 17 Mar 2003, Small, Jim wrote:

While talking about Firewalls and Proxies, I was asked, can you have a
"Stateful Proxy"?


True proxies are stateful by their nature, they do TCP state on the hosts' 
stack, and application level state on the client and server sides of their 
code.

It seems like a simple enough question, but I was not sure how to answer it.
Typically a Proxy Server doesn't forward IP packets, so it must listen for
any service it proxies and then "proxy" the service.  This almost implies
state, doesn't it?  But do Proxy servers watch ack and sequence numbers or


It almost always implies state.

"keep state" like a stateful packet filter does?  Am I thinking about this
correctly?


Sequence numbers are a part of the host stack on a proxy, so yes, it does 
indeed keep track of them (assuming the stack isn't horribly broken.)

If a Proxy Server is "stateful" then the difference between a stateful
packet filter and a stateful proxy becomes small indeed.  Would you then


Like all things computerish, it depends a lot on implementation.

classify the difference as whether or not the proxy server breaks the
connection/circuit and how for up the OSI model it checks and how thoroughly
it checks the protocols for RFC/rules conformance?

I would greatly appreciate any feedback or pointers.


Proxies, filters and hybrids all do differing things, sometimes on the 
same system for different protocols.  There's so much variance in 
different systems that it's really a bad idea to try to generalize at this 
point.

Don't forget though that some RFCs are better broken from a security 
context (like parts of FTP if you must allow it at all.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Stateful Proxying? Small, Jim (Mar 17)
- Re: Stateful Proxying? David Lang (Mar 17)
- Re: Stateful Proxying? Paul D. Robertson (Mar 17)
  - Re: Stateful Proxying? Mike Scher (Mar 17)
- Re: Stateful Proxying? Darren Reed (Mar 18)
  - Re: Stateful Proxying? David Lang (Mar 18)
    - Re: Stateful Proxying? Darren Reed (Mar 18)
- <Possible follow-ups>
- Re: Stateful Proxying? Marcus J. Ranum (Mar 17)