At 08:36 AM 11/27/96 -0500, Craig I. Hagan wrote:
>> Cut-through Proxies on the PIX appear to the user to work in a somewhat
>> similar way. When the PIX detects a new session starting of a protocol
>> which is knows about, it will complete the session and ask for proper
>> authentication. The protocols which we currently support are telnet,
>> ftp, and http. So, as the same example, when you telnet to something on
>> the Internet (unlike the typical proxy firewalls, you will use the IP
>> address of the actual device you want to get to; not the address of the
>> PIX), the PIX will get in the way of the session and ask for
>
>I had always heard such described as "transparent proxying"
The goal is to offer transparent user authentication while maintain session
state. We also track tcp flags, tcp seq numbers and we randomize every tcp
session that goes through our stateful engine. we have a hashed table that
functions very much like cross-bar switch that establishes a flow state.
typical proxy based firewalls fire off a process for every proxy session.
In typical cisco fashion we will add more knobs to this feature. In some
sense, think of this as going from process switching to net flow switching.
Matt
>
>-- craig
>
>-------------------------------------------------------------------------------
>Craig I. Hagan "It's a small world, but I wouldn't want to back it up"
>hagan @
cih .
com "True hackers don't die, their ttl expires"
>
>
>
>
>
>
>
>
Matthew Howard
Product Line Manager mhoward @
cisco .
com
Internet Business Unit 408-526-4720 (voice)
Cisco Systems Inc. 408-527-8122 (fax)
170 West Tasman Drive
Building VM2 (corner of First & Vista Montana)
San Jose, CA 95134
|
|
