Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Claudio Telmon <claudio () telmon org>
Date: Wed, 27 Apr 2011 23:59:52 +0200
On 04/27/2011 10:52 PM, David Lang wrote:
however, as proxy firewalls are dieing, new devices with the type of checking that proxies do are becoming more common.
I don't think so. No product that I'm aware of has the same "default deny" on the low level attacks that a proxy has. Again, the recent "split handshake" problems are a clear example: packet filters "try to guess" the proper session state, while there is no way to cheat a proxy into letting a connection in if it's not permitted (up to TCP/UDP, I mean). Packet-handling tools, be it filters, IDS or something else, however, are probably "good enough" for the market.
doing the checking with a proxy listening to a specific port should be significantly easier thatn checking for all protocols on all connections passing through the devices.
It is, actually, if it's TCP. For what I remember as I wrote some code in this area, UDP is much more of a nightmare. This is why I say that proxies are good for some protocols (e.g. http) where you can benefit from tight controls, but you still need a packet filter underneath for other protocols: you can't punch a hole in a proxy for a new, unknown and "essential" protocol. ciao - Claudio -- Claudio Telmon claudio () telmon org http://www.telmon.org _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 27)