Firewalls: terminology

Firewalls
(November 1994)

Indexed By Thread: [Previous] [Next]

Subject:	terminology
From:	cnewmark @ schwab . com (craig newmark)
Date:	Tue, 15 Nov 94 16:29:12 PST
To:	firewalls @ greatcircle . com, cnewmark @ schwab . com, dmilewsk @ schwab . com

I've been plunging into an investigation of firewall technology, and some of
the terminology has proven to be quite a problem.  The use of "application
gateway" and "proxy" seem to be very ambiguous, and both terms are often used
to mean different things.  I'd like to mention what I think I understand, 
and invite discussion and correction.

In one case, like the (versions of) ptelnet and pftp I've used, these programs
seem to start versions of telnet or ftp on a bastion host in the firewall DMZ.
The program I run on my machine seems to be a client of the program really
providing services on the bastion host.  In conventional terms, the program
running on the bastion is relaying messages, acting as a "proxy."

A different flavor of this involves our use of the TIS firewall toolkit.  I
use conventional telnet, unmodified, to connect to a program running on the
bastion host.  The bastion program authenticates my request, and makes a
telnet connection to the target system.  It then relays messages, acting as
a "proxy."

Finally, one could (we don't) run SOCKSified versions of programs, say telnet.
In such a case, both the client and server (on the bastion) would have to be
modified for SOCKS.  I believe that the protocol first performs an
authentication, and then the server just relays messages, acting also as
a "proxy."

I may have some of this wrong, maybe a lot.  However, in each case, a "proxy"
is involved, which should perform authentication, and then just relay messages.
In each case, only the proxy is visible to the outside world.

Have I gotten this right?

Some of my confusion results from references to "proxy" support as if there's
only one variety of proxy, when there appears to be a number of varieties.
This is acute when one is trying to setup some flavor of mosaic.

Any clarifications, or pointers to them, would be greatly appreciated...
_________________________________________________________________
Craig Newmark             Distributed Systems Security Architect
Charles Schwab & Company  415.627.8413

These are my own opinions, not necessarily those of my employer.
personal mail:  cnewmark @
 well .
 sf .
 ca .
 us  or cnewmark @
 crl .
 com

Follow-Ups:

Re: terminology
From: Phil Trubey <phil @ netpart . com>
Re: terminology
From: Michael Richardson <mcr @ milkyway . com>

Indexed By Date	Previous:	Introduction From: cnewmark @ schwab . com (craig newmark)
Indexed By Date	Next:	Need a Clue From: Larry Caruso <CARUSOLR @ macc . wisc . edu>
Indexed By Thread	Previous:	Introduction From: cnewmark @ schwab . com (craig newmark)
Indexed By Thread	Next:	Re: terminology From: Michael Richardson <mcr @ milkyway . com>