Microsoft Proxy Server 2.0 (beta) incorporates a very significant NEW
feature in terms of Security which is Firewall capabilities.
This feature gets a very significant attention in terms of marketing
promotions from Microsoft.
Although the marketing material on the web is very informative, I have
found very little technical information on this feature.
(example: "Reverse Proxying - lets a Proxy Server "impersonate"
a Web server to the outside world?" ok. So while it plays "Halloween"
how does it check the candy for "healthy ingredients"?)
Two statements that are repeated by Microsoft bother me:
1."Microsoft Proxy server 2.0 provides firewall class security?"
(the emphasis is on the word "class". Why not "Microsoft
Proxy server 2.0 provides a firewall capability/feature?")
2. Can I use Proxy Server as a firewall? (FROM THE FAQ)
"If you do not already have a firewall, and Proxy Server's feature set
meets your security needs, then Proxy Server can be used as the primary
firewall."
The emphasis is on "and Proxy Server's feature set meets your security
needs". Did anyone see a statement? "?and Exchange server's feature set
meets your electronic mailing need?". Too delicate for my taste coming
from Microsoft.
After I DEFINED MY NEEDS I started doing a little research on firewall
technologies encountering such very common notions as "Filtering
Gateway", "Application Gateway" and "statefull inspection".
Every firewall vendor I examined explained in detail his technology
concept in term of packet handling in a very informative fashion. So I
could cross-reference my "needs" with the program's well explained
defense capabilities.
Unfortunately, I tried a number of ways to get an explanation about
"Microsoft mechanism for packet handling" through the news group
and the mail list: ntsecurity @
iss .
net
(I got a LOT of reactions at ntsecurity @
iss .
net from colleagues
frustrated like me)
I have got a response from MS two weeks ago that they will inform me!
I will post there response when I finally get it.
I am getting the impression that Microsoft doesn't want to position
Proxy server 2.0 as an equal player In the Firewall Market or hasn't
figured out the right status for it.
I am preparing a BIG marketing campaign towards the upcoming of
Microsoft
proxy server 2.0 release.
I am absolutely sure that the first point my competitors will attack is
Microsoft Proxy server Firewall capabilities.
How will I position the product if I can't address Microsoft Proxy
server
Technical Defense tools against inbound connection arriving form the
Internet.
My statements are:
1. "If you can't explain it you can't sell it"
2. "One's weak knowledge in another's advantage"
I am Posting here a Transcript of the message posted at microsoft proxy
2
beta newsgroup.
---------------------------
Dear Friends,
There are two major types of firewalls deployed as Internet gateways at
present:
"Filtering Gateways" and "Application Gateways". Both firewall designs
aim to implement and enforce network security.
As I understand "Filtering Gateways" essentially make routing decisions
based on information contained at the packet level. If a packet
contents meets the security policy criteria (Port, Ip, Dest.) it is
forwarded,or routed to the other side of the gateway. Otherwise it is
blocked
out.
"Application Gateways", unlike "Filtering Gateways", operate at the
connection rather than packet level (user name, protocol specific
operation: Get, Put)
"Application Gateways" are known to be more secure then "Filtering
Gateways" because they require the firewall provider to understand the
security implications of supporting an application.
They provide proxies for each service running behind the firewall.
A good "Firewall Application Gateway" will combine "Filtering Gateways"
features AND provide various proxies for services, running behind the
proxy server,that will examine each packet's internal content structure
prior to sending the packet to the specific service (e.g. email message
packet structure).
"Microsoft Proxy Server 2.0 (Beta) was primarily designed to manage
outbound connections and provide performance enhancements for clients on
an internal network accessing the Internet."
This Design concept makes it a good "Application Gateway".
In my opinion The MAIN Job of a firewall is to address the security
issues of inbound connections coming from the Internet.
At this point Microsoft Proxy Server 2.0 (Beta)uses a mechanism called
Dynamic packet filtering a method that resembles "Filtering Gateways"
but functions "on-demand".
Unfortunately I have found NO information on how Proxy proxy server 2.0
(Beta) deals with packet (What proxy services they provide for specific
network services) coming from the Internet.
I will try explaining my point using an example:
Suppose I have a network with two servers, one is a Microsoft Proxy
Server connected to the Internet the other is a Microsoft Exchange
Server sitting behind the proxy server. The exchange server is "server
proxied" to the proxy server.
Now using dynamic packet filter option on the proxy server, if I try to
initiate a session with the exchange server using a host on the
internet (untrusted network) for the propose of checking my mailbox the
proxy server will open for me a connection for the specific
session.
It provides 'direct' connectivity between Me (Untrusted) and the mail
system (trusted). I know that the proxy server forwards the packets
to the exchange server not opening a real direct connection but before
it
sends the packets
DOES IT HAVE ANY CHECKING MECHANISIM OF THE INTERNAL INTEGRATIY AND THE
STRUCTRE OF THE SMTP PACKET?
AS I SEE IT (UNTIL I GET FURTHER INSIGHT ON THE MATTER) MICROSOFT PROXY
SERVER IS A REGULAR PACKET FILTERING GATEWAY, WHEN IT COMES OUT OF THE
BOX NAKED.(REGRADING INBOUND CONNECTIONS FROM THE INTERNET).
Microsoft Proxy Server 2.0 (Beta) functionality can be extended using
ISAPI
(e.g.packet Virus checking etc.)
BUT WHAT DO WE GET "RIGHT OUT OF THE BOX"?
----------------------
I would appreciate any comment on the matter presented.
Yours Truly,
Itai Dor-on
|
|
