Firewalls: Re: transparent proxies

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: transparent proxies
From:	Carl Jolley <cjolley @ iac . net>
Date:	Sat, 21 Oct 1995 16:20:59 -0400 (EDT)
To:	Chris Kostick <ckostick @ csc . com>
Cc:	Rick Murphy <rick @ TIS . COM>, firewalls @ GreatCircle . COM
In-reply-to:	<m0t6e6C-000iCvC @ csc . com>

On Sat, 21 Oct 1995, Chris Kostick wrote:

> > 
> > >Down side I suppose with transparent proxy is that
> > >you cannot add strong authentication.
> > 
> > Transparency and authentication are unrelated.  On a system protected by a
> > Gauntlet firewall, you can allow transparent access but first require
> > authentication.
> 
> I understand what you're saying, but the terminology is a little funny.
> If I have to authenticate myself to get through the firewall, it's not
> all that transparent. Without authentication, then it is what I would call
> fully transparent.
> 
> --
> chris
> 

The point is that one could have an authenication system in place and
running without (some might say instead of) a firewall. Therefore they are
independant. If a transparent firewall was properly installed in an
environment where authenication was being used then there would be no
indication that a firewall was being used, i.e. it would be transparent.
There would be no requirement that different client software be used that
was "firewall aware". Things (including the authenication process) would
continue to operate without change. If one wants to implement an
authenication system where none is currently being used, obiviously things
can not continue to operate as they did prior to its implementation and
that is the case regardless of whether or not a firewall is being used. 
They are independent concepts that can be implemented separately. 

Although it is an interesting idea, a mechanism of transparent
authenication would have to be deployed to have the entire security
mechanism be transparent. While transparency is usually considered a user
convenience, it occurs to me that transparent authenication would be done
"to" the user not for the user since the providing of authenication
information of the user would have to be without their participation --
otherwise it would not be transparent. This could be done with personal
identification devices, e.g. retnal scanners, fingerprints, voice
prints,etc. There certainly are "applications" where this sort of thing
is justified however I don't believe that Internet access is one of
those "applications". In fact, where such a mechanism might be used
the idea of connecting to the Internet (or any external network) would
be out of place. The only network that is absolutely safe from the
Internet is one that has no connection to the Internet.

**** cjolley @
 iac .
 net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****

References:

Re: transparent proxies
From: ckostick @ csc . com (Chris Kostick)

Indexed By Date	Previous:	Re: Encrypted Data Across National Boundries From: "Marcus J. Ranum" <mjr @ iwi . com>
Indexed By Date	Next:	Re: PPP/Encryption and Tunnelling From: "J. Richards" <richards @ utcc . utoronto . ca>
Indexed By Thread	Previous:	Re: transparent proxies From: ckostick @ csc . com (Chris Kostick)
Indexed By Thread	Next:	Re: transparent proxies From: mcr @ milkyway . com (Michael Richardson)