What is a proxy?

["Robert Graham" <robert_david_graham () yahoo com>]

This issue of "air gap" got me thinking down the lines about the quality of
various firewall proxies. They range from simple port forwarders to
extensive protocol machines.

For example, I wrote my own POP3 proxy (I'm odd that way -- I don't even
trust Open Source that I've reviewed). I first considered simple port
forwarding, but of course that would allow potential buffer overflows
through to the backend server. Therefore, I wrote some simple cleansing
routines, not only cleansing client input but stripping server responses in
order to hide any identifying information (so you won't know which exploits
to even try). Then I wanted a silly feature whereby it would sort messages
by size (so downloading e-mail from a hotel room becomes easier), so I had
to basically create a full POP3 server state-machine that virtualizes all
protocol exchanges. POP3 has a number of option protocol operations (UIDL,
TOP, LAST); if I wanted to spend the effort (and if I were willing to store
persistent info on the proxy's hard-disk), I could virtualize everything.
E.g. the LAST command allows you to mark which messages you've read so that
you don't re-read them the next time you log on; even if the backend POP3
server doesn't remember the command, I can still record the info on the
proxy hard disk and emulate it.

This entire story demonstrates the huge variety possible with proxy
services. Whatever you think of the value of a "gap", Whale Com's solution
does have the attribute that it is probably one of the more anal proxies.

My question is this: has anybody done a review of the proxies out there
(specifically HTTP, SMTP, POP3, etc.) that measures the degree to which the
proxy service "cleanses" information passing through it? In the POP3 space,
I found at least 10 different proxies; I have no idea what features any of
them have, I suspect most are just port forwarders once they proudly display
their own helo banner. I would suspect that a few are stateless line
cleansers like my first design, but I can't imagine that many implement full
protocol state machines. (Again, I'm odd that way -- my answer is typically
"use a full protocol state machine", now what was your question?)

Likewise, do people consider this an important issue? I am deathly afraid of
data-driven attacks -- this is one of the Big Holes in security that people
don't talk much about and frankly firewalls don't really protect against
(much like the PCWeek hacking contest where an HTTP server was compromised
despite an HTTP proxying firewall in front of it).

Finally, I would be interested in stories from people and how they protect
against data-driven attacks.

Regards,
Robert Graham
CTO/Network ICE

PS: "data-driven" is one of the many terms used to describe a situation
whereby an attacker carefully construct input that passes initial checks but
which may cause an unexpected result deep within the system. Full
disclosure: an example would RFP's exploit against our own product where he
was able to exploit a Microsoft vulnerability in the backend Access database
by carefully constructing input IDS events that would later be stored there.
Our solution was to careful examine all input into the system matching
against the Microsoft vulnerability. The real rub is that Access isn't even
officially supported (we recommend MS SQL), but we still had to fix it.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards