Thank you Kent for the elaborate answer. I realy appreciate it. John ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > John, > > The question is not as simple as it seems. Over the past 3-4 years the > terms "proxy" and "stateful filtering" have been considerably "vendorized" > so that what one vendor or person refers to as a "proxy" may not be exactly > the same as what another vendor or person refers to. Ditto for "stateful > filtering". > > The easy one first. Packet filtering, sometimes called non-stateful > filtering, works up through layer 4. You can filter on IP address, TCP or > UDP port numbers and some limited TCP flags. (such as the SYN or ACK bit) > If a filter can do more than this, its probably a stateful filter. > > The idea behind a proxy server is that a proxy server acts as a server to a > trusted client and as a client to an untrusted server. In transparent mode, > both the trusted client and the untrusted server believe they are talking to > each other and are unaware that there is a 3rd party, the proxy, involved. > In non-transparent mode, at least the client is aware of the proxy although > the server may not be. Some applications can be proxied transparently, other > can be but require additional software, some are very difficult to proxy > transparently. > > Since proxies must support the actual application used, it works through all > 7 layers. The basic idea is that since the proxy actually terminates the > connection on both the client side and the server side, it can inspect and > reject any portion of the application that does not conform to certain rules > defined by the site implementing the proxy. > > While this works well in theory, in reality a true proxy can be problematic > and may not be any more secure than other methods such as SPF. (more on this > in a minute) > > Stateful filtering generally implies inspecting a packet at least up through > layer 4, but not necessarily beyond that. Strictly speaking, a SPF must be > aware of the way an app uses ports, but its arguable whether this is layer 7 > awareness. For example, an SPF must understand that FTP opens a > back-channel connection. Some SPF's examine the FTP PORT command to see > which port the reverse connection should originate from. This could be > called layer 7 since you must look at the actual FTP commands. In general, > the layer at which the SPF operates depends on the application used and the > vendors implementation. For common apps, an SPF implementation may have > limited functionality at layer 7, but for uncommon apps it is probably > functioning more at layer 4 and just maintaining "state". (IP src/dst, TCP > src/dst, etc) > > It is generally believed that a true proxy is more secure than SPF. The > idea being that a proxy is "forced" to look at all 7 layers. This is not > exactly true. A proxy must terminate an application, but if an app is not > well known, it is typical for the proxy to use a "plug gateway" and simply > take the data from the server and give it to the client and vice versa. > Even for well-known apps, it is difficult to determine what may or may not > be "dangerous" content and typically a proxy will just block application > commands that are erroneous or malformed although more options may be > available for well-known apps. Additionally, there is no technical reason > why a SPF cannot look at the data portion of a packet, in fact most SPF > implementations look at the data portion of some well-known apps and allow > limited filtering. (i.e blocking FTP get or put requests) > > On top of all this, some SPF implementations have limited true proxy abilty > (i.e. Checkpoint) and some proxy implementations have some SPF ability (i.e. > Gauntlet). > > That's a bit of a long-winded answer, but the skinny of all this would be: > > packet filter - layer 4 > SPF - layer 4-7 depending on app > proxy - layer 7 (but may not _examine_ layer 7 info depending on app, so may > really be only looking at layer 4 info) > > HTH, > Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > John Tafasi > Sent: Saturday, November 10, 2001 8:50 PM > To: [EMAIL PROTECTED] > Subject: CID: Firewalls [7:25757] > > > Hi Group, > > I a little confused about osi layers at different types of firewalls work > (proxy, packet filters and stateful firewalls). Can any body help with that. > > Thanks
Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26018&t=25757 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
