To end this discussion, I have two questions to submit:
* ok, theoretically speaking, proxies (application gateways) are better
since they are supposed to analyse the traffic (data is more appropriate).
But who can actually tell me what his proxy actually does more than open
two connections :
inside net <-----> FW <------> outside net
and let the data through after authenticating the users and checking port,
sequence and things like that.
Yes for ftp, many proxies analyse the commands, and can allow/disallow
get/put... But what about mail proxies ? telnet proxies ? http proxies ?...
Marcus J. Ranum very correctly said a mail proxy should look for the famous
"|..." hole. Yes but it should also warn the admin when such a mail comes
in and where it came from.
I have the impression (maybe false ?) that proxies don't actually do more
than opening connections and shuffling packets from one side to the other
while keeping track of the connection state. At least, that is what one can
think when reading a fw documentation, which doesn't explain the proxy in
sufficient detail.
* this brings along another question: proxies should be up-dated regularly
in order to integrate the new holes which have been discovered in the
protocols/applications? How often do you fw administrators up-date your
proxies?
Bruno
_________________________________________________________________________
Bruno MAMER bruno .
mamer @
crpht .
lu
Centre de Recherche Public Henri Tudor Computing and Network Services
Our local archive on security :
http://www.crpht.lu/CNS/html/PubServ/Security/security-home.html
-------------------------------------------------------------------------
Follow-Ups:
|
|
