Re: Gauntlet adaptive proxies

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Kevin Steves, sie wrote:
> On Tue, 10 Nov 1998, Darren Reed wrote:
> : CheckPoint doesn't have proxies for a start, so all it does is either
> : pass or deny packets.  For Gauntlet, there is a fundamental difference
> : for the path taken by data in the HTTP example above.  For the first
> : 20 or so, the packets are interpreted by the local kernel as being a
> : part of a local TCP connection, resulting in data being copied in/out
> : of a user-space proxy.  Once the proxy is happy, it tells the kernel to
> : just pass the rest of the packets through - basic pkt filtering.  There
> : is no longer any copying of data between kernel/user space, no local
> : interpretation of TCP packets, etc.
>
> One quote from the paper is: "With an adaptive proxy firewall, initial
> security examinations are still conducted at the secure application
> layer, but subsequent packets can be redirected through the network
> layer as soon as the security clearance has been made".  In the case
> above I assume the proxy has built a new TCP connection to the
> destination server, then at some point decides it's OK to packet filter
> the connection.  What about address and sequence number translation in
> this case?

I can't see that as being an obstacle.  All the information is there,
somewhere, you just have to get it and massage it appropriately when
sending packets back and forth.

Heck, I can envisage being able to even go back into "proxy mode" from
packet forwarding.

Darren