Firewalls: Re: terminology

Firewalls
(November 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: terminology
From:	Phil Trubey <phil @ netpart . com>
Organization:	NetPartners, Newport Beach, CA
Date:	Fri, 18 Nov 1994 11:39:14 -0800
To:	cnewmark @ schwab . COM, cnewmark @ well . sf . ca . us
Cc:	firewalls @ greatcircle . com
In-reply-to:	<9411160029 . AA00143 @ w0042dev . schwab . com>
Newsgroups:	np.firewalls

In article <9411160029 .
 AA00143 @
 w0042dev .
 schwab .
 com> writes:
>
>Some of my confusion results from references to "proxy" support as if there's
>only one variety of proxy, when there appears to be a number of varieties.
>This is acute when one is trying to setup some flavor of mosaic.
>
>Any clarifications, or pointers to them, would be greatly appreciated...

You mentioned three types of application proxies in your e-mail 
message to the firewalls mailing list.  There is in fact, another type
of application proxy (at least one another one, anyway).  The JANUS
Firewall Server (a commercial firewall), provides an application proxy 
where the internal user uses an unmodified client application (like telnet,
Mosaic, etc.) and accesses the remote Internet resource directly -
no explicit connection to the firewall is needed.

I agree with your assessment that 'application proxy' is a generic
term that can in fact mean very different specific things.  The 
commonality between all application proxies is that they terminate the TCP 
connection at the firewall device, and thus do not directly route
IP packets between their interfaces.  What an application proxy buys you
over a filtering firewall (like a Livingston IRX, or Cisco router) is
that with an application proxy, outside Internet processes 
interact with only the firewall's application stack.  This is a
Good Thing since some vendor's TCP applications (like various versions of 
sendmail, FTP, Telnet) have security holes in them.  The presumption
here is that the application proxy's application stacks have been
rigorously tested and examined to make as sure as possible that 
there are no security holes in them.

Application proxies typically also provide additional functionality as
well.  A common example is to provide secure authentication.  The standard
telnet protocol sends passwords in clear text over the wire.  The 
Intenet, being what it is, has periodic outbreaks of crackers
who use packet sniffers to harvest passwords.  A good application 
proxy system will insert some sort of one time password system into the
loop to foil such attacks.  

Hope this helps.
-- 
Phil Trubey                 | 
NetPartners                 | Providing Internet products and services. 
E-mail: phil @
 netpart .
 com    |   Home Page: http://www.netpart.com/
Phone:  714-759-1641        |

References:

terminology
From: cnewmark @ schwab . com (craig newmark)

Indexed By Date	Previous:	Promiscuous systems From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Date	Next:	Re: A bit of DNS help From: patrick @ oes . amdahl . com (Patrick Horgan)
Indexed By Thread	Previous:	Re: terminology From: Michael Richardson <mcr @ milkyway . com>
Indexed By Thread	Next:	Re: terminology From: Joseph . T . Judge @ att . com