Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Transparent vs. Non-transparent AGs/SP

Re: Transparent vs. Non-transparent AGs/SPFs/whatever

Bill_Roydspch.gc.ca
Fri, 25 Sep 1998 11:30:09 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Eric Budke: "Penetration testing via social engineering/physical penetration"
Previous message: Ryan Russell: "Re: FW-1: Questions about DHCP and IPX (Banned by US Mil? Here wego again!)"
Next in thread: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"

That doesn't reall answer the question I asked. Sure, if I know
ahead of time that my user wants to telnet to port 2300, I can
configure my firewall to route traffic with a destination port
of 2300 through my telnet proxy app, no problem. But What
if I don't know ahead of time what port people will be telnetting
to?

(this is assuming I want to proxy more than 1 protocol... if I'm
only allowing telnet out, then the telnet proxy could handle everything.)

And what if a different one of my users want to do HTTP to
port 2300 on a different host on the Internet?

(Again, the assumtion is that the telnet proxy is smart enough to
know that HTTP doesn't look like a proper telnet... if a telnet
proxy lets HTTP through think that it's just a weird telnet session,
then that's just another circuit-level proxy as far as I'm concerned.)

Ryan

P.S. BTW, I think I probably already know the answer to this
thread Ive started, I'm just hoping I'm wrong.

The Raptor firewall has some support for this.
It can't determine the proxy needed from the stream content, but rules can
be set up as
use http for port 2300 to foo1.com
use telnet for port 2300 to foo2.com
called redirect services.

THis is deterministic and generally maintains the security policy, but it
does leave some room for spoofing protocols.

>AG's run transparently if they are are the one the pip between protected
>network (inside) and unprotected Internet (outside).
>All default routes of inside network, whether default gateway or router
>defaults point to inside NIC of firewall.
>For your example, thee firewall rules then say if that if any traffic
comes
> in from inside NIC for port 2300 it will be proxied as telnet. No other
>service will be allowed on port 2300.
>Similarily for external traffic. Since there are 2 sessions on firewall
for
> each connection (from inside to firewall, from firewall to external
>server), you can even change the port on the way through or even change
the
> protocol (always change ftp to ftp-PASV running under http).
>You are not restricted to carrying the same packets on each side of the
>firewall.

application/octet-stream attachment: att1.eml

Next message: Eric Budke: "Penetration testing via social engineering/physical penetration"
Previous message: Ryan Russell: "Re: FW-1: Questions about DHCP and IPX (Banned by US Mil? Here wego again!)"
Next in thread: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT