In article <9411160029 .
>Some of my confusion results from references to "proxy" support as if there's
>only one variety of proxy, when there appears to be a number of varieties.
>This is acute when one is trying to setup some flavor of mosaic.
>Any clarifications, or pointers to them, would be greatly appreciated...
You mentioned three types of application proxies in your e-mail
message to the firewalls mailing list. There is in fact, another type
of application proxy (at least one another one, anyway). The JANUS
Firewall Server (a commercial firewall), provides an application proxy
where the internal user uses an unmodified client application (like telnet,
Mosaic, etc.) and accesses the remote Internet resource directly -
no explicit connection to the firewall is needed.
I agree with your assessment that 'application proxy' is a generic
term that can in fact mean very different specific things. The
commonality between all application proxies is that they terminate the TCP
connection at the firewall device, and thus do not directly route
IP packets between their interfaces. What an application proxy buys you
over a filtering firewall (like a Livingston IRX, or Cisco router) is
that with an application proxy, outside Internet processes
interact with only the firewall's application stack. This is a
Good Thing since some vendor's TCP applications (like various versions of
sendmail, FTP, Telnet) have security holes in them. The presumption
here is that the application proxy's application stacks have been
rigorously tested and examined to make as sure as possible that
there are no security holes in them.
Application proxies typically also provide additional functionality as
well. A common example is to provide secure authentication. The standard
telnet protocol sends passwords in clear text over the wire. The
Intenet, being what it is, has periodic outbreaks of crackers
who use packet sniffers to harvest passwords. A good application
proxy system will insert some sort of one time password system into the
loop to foil such attacks.
Hope this helps.
Phil Trubey |
NetPartners | Providing Internet products and services.
E-mail: phil @
com | Home Page: http://www.netpart.com/
Phone: 714-759-1641 |
From: cnewmark @
com (craig newmark)