Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Firewall-Wizards Digest V1 #197

Re: Firewall-Wizards Digest V1 #197

Steve George (stevegei-way.net.uk)
Mon, 28 Sep 1998 13:56:58 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
Previous message: Frederick M Avolio: "Re: GXD vs. SPF"

Hi,

Since a proxies are normally considered to act the application level there is no particular reason why theu should not understand more about the protocol that they are proxying. With connectionless protocols such as SMTP this is quite straightforward since you can implement the set of commands which you consider safe and then forward the stuff to the other end, hence FWTK doesn't do some of the SMTP commands. However, with connection orientated proxies such as telnet you have to implement all of the protocol as you don't know what the user will do with it. However, it seems to me that in essense the problem is with the implementation of the thing at the other end of your proxy not the fact that you can telnet to it rather than use a browser.

Steve

On Sat, Sep 26, 1998 at 05:34:22AM -0700, sandeep kumar wrote:
> Ryan Russel wrote: ===>
>
> >Date: Wed, 23 Sep 1998 10:10:09 -0700
> >From: "Ryan Russell" <ryanrsybase.com>
> >Subject: Re: Transparent vs. Non-transparent >AGs/SPFs/whatever
>
> >Again, the assumtion is that the telnet proxy is smart enough to
> >know that HTTP doesn't look like a proper telnet... if a telnet
> >proxy lets HTTP through think that it's just a weird >telnet session,
> >then that's just another circuit-level proxy as far as I'm concerned.)
>
> Ryan
> =====>
> does a proxy understand that if it is to proxy ,say telnet sessions at
> the given port , then even if someone tries to use some other protocol
> then the proxy would know that it is not the intended protocol and the
> connection or proxy would be denied.
>
> my question is that whether this is possible or not, if yes then how
> does the proxy read as to what protocol is the client or the server
> initiating....
>
> This brings to the question of letting various services through a
> firewall based upon port number. telnet 23, smtp25 etc. but say I were
> to write an application at a given port say 23 and use that port to
> connect to a server also running my application, then the connection
> would be made. How does one PREVENT this ?
> thanks
> sk...
>
> _________________________________________________________
> DO YOU YAHOO!?
> Get your free yahoo.com address at http://mail.yahoo.com

application/pgp-signature attachment: stored

Next message: Ryan Russell: "Re: Transparent vs. Non-transparent AGs/SPFs/whatever"
Previous message: Frederick M Avolio: "Re: GXD vs. SPF"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:48 CDT