Firewall Wizards mailing list archives
Re: Evolution of Firewalls
From: ArkanoiD <ark () eltex net>
Date: Wed, 10 Mar 2004 12:20:39 +0300
nuqneH, see comment inline: On Tue, Mar 09, 2004 at 02:32:04PM -0500, Dave Piscitello wrote:
At 12:24 PM 3/9/2004 +0300, you wrote:There is major difference: proxy does analysis and reconstructs data stream from analysed data, and stateful ispection system can only decide to let it pass or no. The impact is obvious: it is much more likely for stateful inspection system to miss thing that is not known to it or to exploit a bug when inspection system parses data differently from the communication endpoint.I'm not certain this distinction exists once both proxies and stateful inspection systems examine entire an application datum as they now must do. I agree completely that this distinction exists when you are talking about stateful inspection of TCP and IP level packet streams. But if we agree that an application datum = application header plus all the data associated with that application operation (http response, for example), then don't both systems examine the same object? This is the only way I know how to interpret "deep packet inspection". Thus an stateful inspection firewall can use many of the same rules a proxy has traditionally applied to determine if the HTTP GET, for example, contains a malformed URL, or a SQL injection attempt, etc.The proxy output stream, not only general verdict, depends on parsing results.
If you use "deep packet inspection", you may just try to decode/standardize URL, bring it to a standard form and check if it looks good and let it pass or not. If you use application proxy, you may decode/standardize URL, bring it to a standard form and let pass or not your _decoding result_, not original request, thus ensuring if there are implementation differences in decoding on the firewall and on the endpoint it have no effect on policy and standards compliance. This applies to every level you examine, including tcp/ip data stream itself (see fragmentation problems, weird flags, TTL messing and so on).
Sorry, I don't understand this?YMMV and it is implementation dependant;Not familiar with the acronym YMMV
Your mileage may vary
a bad proxy may implement protocol without proper detalization and a good stateful inspection engine may behave better, but proxy technology in general is clearly superior for real world.To be honest, I see the distinction blurred in the current generation of firewalls, to the extent that I can be persuaded to agree with the claim that all firewalls that provide so-called application protection in fact proxy traffic.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Evolution of Firewalls skpoo (Mar 07)
- <Possible follow-ups>
- Re: Evolution of Firewalls Frederick M Avolio (Mar 07)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 08)
- Re: Evolution of Firewalls Dave Piscitello (Mar 09)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 09)
- Re: Evolution of Firewalls Christian Kreibich (Mar 11)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls ArkanoiD (Mar 09)
- Re: Evolution of Firewalls Patrick M. Hausen (Mar 11)
- Re: Evolution of Firewalls Mikael Olsson (Mar 11)
- Message not available
- Re: Evolution of Firewalls ArkanoiD (Mar 11)
- vpn end-point Shimon Silberschlag (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 09)
- Re: Evolution of Firewalls Devdas Bhagat (Mar 11)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 12)
- Re: Evolution of Firewalls ArkanoiD (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 18)