Great Circle Associates Firewalls
(November 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Transparent Proxys
From: "Peter Cox" <peter @ sea-europe . co . uk>
Date: Fri, 25 Nov 1994 00:33:46 +0000
To: Andreas Greulich <greulich @ math-stat . unibe . ch>
Cc: firewalls @ GreatCircle . com
Encoding: 42 TEXT , 4 TEXT
In-reply-to: Your message of Thu, 24 Nov 1994 11:37:42 +0000.<9411241137 . AA08275 @ grimsel>

[Note: Sea Change Europe is the European Supplier of Janus]

>
>I think this subject was already touched here sometime, but I can't
>remember exactly... one of the problems with firewalls is the need
>to change client programs or user behaviour. What I wonder is if the
>following would be possible: the internal routers of the network are
>configured to route all packets to external addresses to
>a router-address that actually IS the firewall. The internal hosts
>would never address the firewall directly. If, for example, an internal
>host builds an ftp to an external address, the firewall would
>receive it in the function of a router. Before relaying the
>connection to the outside, it could "simulate" an already built up
>connection back to the caller (who "thinks" it's connected to the
>external host already) 


This is almost exactly how Janus works.

Client software remains unchanged, the static default route for internal
systems is the firewall, when I make an ftp connection it is "accepted" by
the firewall proxy server which then transperently makes the on-going
connection to the final destination. When this connection is established
data is relayed back to the originating system.

>It could be that this is exactly the mechanism used in the janus firewall
>that seems to offer "transparent proxies", but I'm not sure about it.
>Does it also use the idea of simulating connections and in this simulation
>adding additional communication for performing user authentication?
>The idea seems simple - why is it usually not used? Are there
>security weaknesses inherent that I oversee? What are disadvantages
>of this approach?


Janus does not provide additional authentication for outgoing connections,
there is no need, the authentication is a task for the remote system.

Incoming connections are much more tightly controlled, mostly they are
prohibited. Services like anonymous ftp and web are provided on the firewall
if you really want connections to internal systems (eg telnet) then
other authentication mechanisms are used (challenge/response).


************************************************************************
* Peter Cox        Sea Change Corporation Europe                       *
* peter @
 sea-europe .
 co .
 uk  Phone: 44-1753-581800    Fax: 44-1753-581501 *
************************************************************************


Follow-Ups:
References:
Indexed By Date Previous: Re: Firewall-1 ftp dynamic portin
From: "Brian Stormont" <brian_stormont @ ProJo . COM>
Next: Re: Re[2]: Sun firewalls
From: Brent @ GreatCircle . COM (Brent Chapman)
Indexed By Thread Previous: Transparent Proxys
From: greulich @ math-stat . unibe . ch (Andreas Greulich)
Next: Re: Transparent Proxys
From: afx @ ibm . de (Andreas Siegert)

Google
 
Search Internet Search www.greatcircle.com