Great Circle Associates Firewalls
(January 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: benefit of proxy-server
From: Rik Farrow <rik @ apache . spirit . com>
Date: Sun, 29 Jan 1995 09:36:11 -0700
To: Firewalls @ greatcircle . com, jon @ nytimes . com
Reply-to: rik @ spirit . com 
> What are the main advantages/disadvantages of using socks vs. a tis toolkit
> based firewall (maybe a brief summary???)?

I never saw an answer to this, so thought I might try one.

Both SOCKS and the TIS Firewall Toolkit (FWTK) are proxy servers.  Both can
run on dual-homed hosts, that is a computer with two network interfaces
and automatic forwarding between the two interfaces disabled.  The set
of client software supported is similar, but not identical (SOCKS also
supports whois and finger, FWTK supports rlogin, both support ftp,
telnet, WWW).

There are real differences.  The biggest one (IMHO) is that SOCKS 
_requires_ modified clients.  The SOCKS distribution includes modified
clients, and you can even get precompiled clients for Macs and PCs.
But you can't use of off-the-shelf Internet clients with SOCKS.  FWTK
will work with off-the-shelf client programs, but not all (because the
user must talk to the proxy server, for example, tell the ftp proxy to
connect to another ftp site by using user @
 sitename .
 xxx, which might
not work with all point-and-click interfaces).

Another difference has to do with logging.  The SOCKS proxy server,
which runs on the firewall, does some logging.  But so does each client.
So a user using the rftp client (SOCKSified ftp) has filenames loggged
on the local system rather than on the firewall.  FWTK logs whatever
information you want about ftp commands at the firewall.  Their ftp
proxy server is not a generic one, like SOCKS, but specific.

SOCKS is for internal clients, and doesn't include authentication.  You
can wrap SOCKS with TCP Wrapper, but that approach (relying in an IP
address for authentication) has been shown to be quite dangerous lately.
FWTK includes an authentication server which works for connections from
either inside or outside, and supports several varieties of one-time
passwords.

There are other differences (for example, you must license FWTK if
you want to repackage and resell it), but I think these are the major
points.  Both SOCKS and FWTK have their uses and champions.

Regards,
Rik Farrow
rik @
 spirit .
 com
Indexed By Date Previous: Re: Firewall Resource List support
From: Amir Cohen <amirc @ mcil . comm . mot . com>
Next: Re: Router filtering not enough! (Was: Re: CERT advisory )
From: "Mark A. Fullmer" <maf @ net . ohio-state . edu>
Indexed By Thread Previous: benefit of proxy-server
From: jon @ nytimes . com (Jon E. Price)
Next: Re[2]: benefit of proxy-server
From: D_Bauer%huac @ MWMGATE1 . mitre . org
Google
 
Search Internet Search www.greatcircle.com