Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Transparent vs. Non-transparent AGs/SP

Re: Transparent vs. Non-transparent AGs/SPFs/whatever

Ryan Russell (ryanrsybase.com)
Wed, 23 Sep 1998 10:10:09 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Henry Hertz Hobbit: "Re: FW-1: Questions about DHCP and IPX"
Previous message: David Collier-Brown: "Re: Penetration testing via shrinkware"
In reply to: Marcus J. Ranum: "Re: Re[2]: Penetration testing via shrinkware"
Next in thread: Woody Weaver: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"

That doesn't reall answer the question I asked. Sure, if I know
ahead of time that my user wants to telnet to port 2300, I can
configure my firewall to route traffic with a destination port
of 2300 through my telnet proxy app, no problem. But What
if I don't know ahead of time what port people will be telnetting
to?

(this is assuming I want to proxy more than 1 protocol... if I'm
only allowing telnet out, then the telnet proxy could handle everything.)

And what if a different one of my users want to do HTTP to
port 2300 on a different host on the Internet?

(Again, the assumtion is that the telnet proxy is smart enough to
know that HTTP doesn't look like a proper telnet... if a telnet
proxy lets HTTP through think that it's just a weird telnet session,
then that's just another circuit-level proxy as far as I'm concerned.)

Ryan

P.S. BTW, I think I probably already know the answer to this
thread Ive started, I'm just hoping I'm wrong.

>AG's run transparently if they are are the one the pip between protected
>network (inside) and unprotected Internet (outside).
>All default routes of inside network, whether default gateway or router
>defaults point to inside NIC of firewall.
>For your example, thee firewall rules then say if that if any traffic
comes
> in from inside NIC for port 2300 it will be proxied as telnet. No other
>service will be allowed on port 2300.
>Similarily for external traffic. Since there are 2 sessions on firewall
for
> each connection (from inside to firewall, from firewall to external
>server), you can even change the port on the way through or even change
the
> protocol (always change ftp to ftp-PASV running under http).
>You are not restricted to carrying the same packets on each side of the
>firewall.

Next message: Henry Hertz Hobbit: "Re: FW-1: Questions about DHCP and IPX"
Previous message: David Collier-Brown: "Re: Penetration testing via shrinkware"
In reply to: Marcus J. Ranum: "Re: Re[2]: Penetration testing via shrinkware"
Next in thread: Woody Weaver: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT