|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Transparent vs. Non-transparent AGs/SPFs/whatever
Ryan Russell (ryanr
sybase.com)
Tue, 22 Sep 1998 15:21:49 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Marcus J. Ranum: "Re: Re[2]: Penetration testing via shrinkware"
- Previous message: Marcus J. Ranum: "Re: FW-1: Questions about DHCP and IPX"
- Next in thread: Bárány Sándor: "why isn't there a newer linux fw-howto"
- Reply: Bárány Sándor: "why isn't there a newer linux fw-howto"
- Maybe reply: Bill_Roydspch.gc.ca: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Reply: Woody Weaver: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Bill_Roydspch.gc.ca: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
No, this is *that* holy war about SPFs vs AGs...
One of the great advantages (also vulnerability, read on) of packet
filter type and related firewalls is that they're transparent to the
clients.
That is, they require no changes to client software to function, and
the clients think they're connected to the raw Internet.
The firewall devices of this nature typically act like a router or
bridge, and you simply point your Internet bound traffic in
their direction.
One can also make Application Gateways transparent, too, I'm
told. There is a transparency toolkit for the FWTK, I believe.
Obivously, there are also AGs that require the client to do something
different to get to the Internet.
The advantage to AGs is that they should be able to speak the
exact protocol being used, and hopefully keep some unanticipated
funny business from going on.
Non-transparent proxies can make clients tell them what protocol
they're trying to speak, as well as to whom, and on what port. So,
policy permitting, I could request that the proxy let me talk
to someserver, with the telnet protocol, at port 2300 instead of
23.
If I've got a transparent proxy, or some SPF, how is it supposed to
know that when I connect to port 2300, I want the telnet protocol
instead of HTTP, FTP, or something else?
There are obviously some clues in the data stream as to what the
protocol is, but trying to figure it out on the fly won't scale very well.
Now, if I had gone through the transparent device, but to port 23,
it could (likely safely) assume telnet.
So here's my question:
If I want transparency, am I essentially stuck trying to
determine protocol strictly by port number? If I want to permit
people out to arbitrary port numbers, am I stuck with the
equivalent of a circuit-level proxy?
Ryan
- Next message: Marcus J. Ranum: "Re: Re[2]: Penetration testing via shrinkware"
- Previous message: Marcus J. Ranum: "Re: FW-1: Questions about DHCP and IPX"
- Next in thread: Bárány Sándor: "why isn't there a newer linux fw-howto"
- Reply: Bárány Sándor: "why isn't there a newer linux fw-howto"
- Maybe reply: Bill_Roydspch.gc.ca: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Reply: Woody Weaver: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Bill_Roydspch.gc.ca: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
- Maybe reply: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT