RE: on-the-fly-analysis vs. proxy rewrites

["Hawkins, Michael" <MHawkins () TULLIB COM>]

Marcus,

You keep using SMTP as an example but that is such a small bunch of
RFC's.

What about trying to deal with http which has almost no bounds? There
are two many possible uri's. All of the proxies I've looked (and that's
not many) do very little in the way of breaking down the uri and
handling those various subcomponents (such as java script, activex,
dll's even). It's usually block all java script (useless) or let it all
through (worse than useless).

And what do you do when there are hundreds of nasty DLL's in paths and
hundreds of good ones. I mean, where do you start?

And with all the other demands placed upon my valuable time and
resource, how on earth could someone possibly be expected to parse and
control every nuance within the realm of http? What about parsing the
query? What's safe? What's not?

I feel that the horse has already bolted on that one.

But any suggestions would be gratefully considered.

Mike Hawkins

New York Office: 212-208-3888

White Plains Office: 914-729-2790

Mobile: 917-887-3614


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Marcus
J. Ranum
Sent: Wednesday, February 08, 2006 7:21 PM
To: Behm, Jeffrey L.; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] on-the-fly-analysis vs. proxy rewrites

Behm, Jeffrey L. wrote:
> My sometimes jaded view is that the proxy rewrites the traffic to
> conform to whatever the proxy writer wrote.

Typically, a proxy also only carries a _subset_ of a full protocol.
That's based on a combination of observation and the designer's
assessment of what is "necessary" and "safe". For example,
a proxy might implement basic SMTP for mail collection and
trap all  ESMTP commands to a subroutine that only knows
how to return a "command unknown" error. A boundary DNS
proxy might know how to issue queries but might not even
contain code that knows how to do a zone transfer - and
by omitting that code entirely you can be fairly confident
that any vulnerabilities in that code-branch will not work
against the proxy or systems behind it.

A gateway device has absolutely no reason to implement a
full application protocol stack beyond the absolute minimum
necessary to get the data back and forth. So a proxy serves
not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not 
waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; 
you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of 
the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage 
caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards