Firewall Wizards mailing list archives
What is a proxy?
From: "Robert Graham" <robert_david_graham () yahoo com>
Date: Wed, 24 Jan 2001 03:45:29 -0800
This issue of "air gap" got me thinking down the lines about the quality of various firewall proxies. They range from simple port forwarders to extensive protocol machines. For example, I wrote my own POP3 proxy (I'm odd that way -- I don't even trust Open Source that I've reviewed). I first considered simple port forwarding, but of course that would allow potential buffer overflows through to the backend server. Therefore, I wrote some simple cleansing routines, not only cleansing client input but stripping server responses in order to hide any identifying information (so you won't know which exploits to even try). Then I wanted a silly feature whereby it would sort messages by size (so downloading e-mail from a hotel room becomes easier), so I had to basically create a full POP3 server state-machine that virtualizes all protocol exchanges. POP3 has a number of option protocol operations (UIDL, TOP, LAST); if I wanted to spend the effort (and if I were willing to store persistent info on the proxy's hard-disk), I could virtualize everything. E.g. the LAST command allows you to mark which messages you've read so that you don't re-read them the next time you log on; even if the backend POP3 server doesn't remember the command, I can still record the info on the proxy hard disk and emulate it. This entire story demonstrates the huge variety possible with proxy services. Whatever you think of the value of a "gap", Whale Com's solution does have the attribute that it is probably one of the more anal proxies. My question is this: has anybody done a review of the proxies out there (specifically HTTP, SMTP, POP3, etc.) that measures the degree to which the proxy service "cleanses" information passing through it? In the POP3 space, I found at least 10 different proxies; I have no idea what features any of them have, I suspect most are just port forwarders once they proudly display their own helo banner. I would suspect that a few are stateless line cleansers like my first design, but I can't imagine that many implement full protocol state machines. (Again, I'm odd that way -- my answer is typically "use a full protocol state machine", now what was your question?) Likewise, do people consider this an important issue? I am deathly afraid of data-driven attacks -- this is one of the Big Holes in security that people don't talk much about and frankly firewalls don't really protect against (much like the PCWeek hacking contest where an HTTP server was compromised despite an HTTP proxying firewall in front of it). Finally, I would be interested in stories from people and how they protect against data-driven attacks. Regards, Robert Graham CTO/Network ICE PS: "data-driven" is one of the many terms used to describe a situation whereby an attacker carefully construct input that passes initial checks but which may cause an unexpected result deep within the system. Full disclosure: an example would RFP's exploit against our own product where he was able to exploit a Microsoft vulnerability in the backend Access database by carefully constructing input IDS events that would later be stored there. Our solution was to careful examine all input into the system matching against the Microsoft vulnerability. The real rub is that Access isn't even officially supported (we recommend MS SQL), but we still had to fix it. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Air gap technologies Avi Rubin (Jan 16)
- Re: Air gap technologies Paul Cardon (Jan 18)
- <Possible follow-ups>
- RE: Air gap technologies Stiennon,Richard (Jan 16)
- Re: Air gap technologies Crispin Cowan (Jan 18)
- Re: Air gap technologies Frederick M Avolio (Jan 19)
- Re: Air gap technologies Crispin Cowan (Jan 19)
- Re: Air gap technologies Avi Rubin (Jan 19)
- RE: Air gap technologies Robert Graham (Jan 22)
- What is a proxy? Robert Graham (Jan 24)
- RE: What is a proxy? Andreas Haug (Jan 25)
- Re: What is a proxy? Gary Flynn (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 24)
- Message not available
- Re: What is a proxy? Marcus J. Ranum (Jan 25)
- Re: Air gap technologies Crispin Cowan (Jan 18)
- Message not available
- pcanywhere encryption hermit1 (Jan 26)
- Re: pcanywhere encryption Crist Clark (Jan 29)
- Re: pcanywhere encryption Randy Witlicki (Jan 29)
- Re: pcanywhere encryption Adam Shostack (Jan 29)
- Re: Air gap technologies Aleph One (Jan 24)
- Re: Air gap technologies Frederick M Avolio (Jan 24)