Great Circle Associates Firewalls
(October 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Generic Proxy
From: sazah @ ibu . sj . nec . com (Sunny Azah)
Date: Tue, 15 Oct 1996 11:40:04 -0700 (PDT)
To: amotta @ ifi . unizh . ch (Alejandro Motta)
Cc: firewalls @ GreatCircle . COM
In-reply-to: <32621461 . 41C67EA6 @ ifi . unizh . ch> from "Alejandro Motta" at Oct 14, 96 11:22:25 am 

> 
> Can someone tell me, how a generic proxy works, and if it secure for
> supporting internet services, which are not directly supported by the
> proxies ?
> 
> Thanks very much
> 
> Alex.
> 

Alex,

A generic proxy works by forwarding a connection request directed
at a firewall to another system.  This system is normally inaccessible
to the outside network by other means.  The outside system connects
to an apparent network service on the FW (eg. port 80 for WWW).
The proxy listening on this port accepts the connection,
possibly filtering the connection and dropping unacceptable connections,
and then making a connection to the real server.  Once this
second connection is made, the proxy transfers traffic between
the client on the outside, and the server on the inside network.

The main difference between a generic proxy and an application specific
proxy is that the application proxy understands the communication
between the client and server, and a generic proxy does not.
The generic proxy simply transfers data back and forth between
the two systems.  The application proxy can intervene or modify
the communication to provide protection to either the client or server.
The application proxy can block dangerous commands and enforce
the structure of the communication, and protect the server (or client)
application from attack.  A generic proxy cannot protect the server
(or client) application.

A generic proxy does still have some significant benefits above
what packet filtering provides:

	-  IP address hiding.
	-  IP source routing is blocked.
	-  IP options are blocked.
	-  TCP/IP sequence number guessing is blocked.
	-  SYN-flooding attacks against internal network is blocked.
	-  Other IP, UDP, and TCP level attacks are blocked.

A generic proxy is appropriate when there exists no application specific
proxy and the service being proxied is considered secure.
Using a generic proxy for "sendmail" would not be recommended,
since it has had a number of security problems and a generic proxy
cannot protect it.

-- 
sa.

--------------------------------------------------------------------------
Sunny Azah - sazah @
 ibu .
 sj .
 nec .
 com 

                            Internet Business Unit, Home of the PrivateNet
                            NEC Technologies, Inc.
                            110 Rio Robles San Jose, CA 95134
                            Tel:(408) 433-2161 FAX:(408) 433-1230

http://www.privatenet.nec.com
--------------------------------------------------------------------------
References:
  • Generic Proxy
    From: Alejandro Motta <amotta @ ifi . unizh . ch>
Indexed By Date Previous: Re: WINDOWS 95 SETUP/Hidden files..
From: Ron DuFresne <dufresne @ parka . winternet . com>
Next: on guard firewall
From: "Jon Fisher" <jon @ goofy . aum . edu>
Indexed By Thread Previous: Re: Generic Proxy
From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>
Next: Generic Proxy
From: marcvh @ aventail . com (Marc VanHeyningen)
Google
 
Search Internet Search www.greatcircle.com