At 01:55 PM 11/8/99 +0100, Mikael Olsson wrote:
>FYI: The difference between Proxy and Application Level Filters
>---------------------------------------------------------------
>
>There is a lot of confusion about which does what and what is
>more secure and which product uses what, so here's my attempt
>at clearing up some of the confusion.
>
>First, I'd like to state up front that I am not completely certain
>which of terms "Application Level Filter" or "Application Level Gateway"
>is the correct one. Both seem to be popular and interchangable.
The terms are frequently misused - calling a generic protocol-unaware proxy
like plug-gw an 'application-level gateway' is a common usage.
>First, Websters's definition of "Proxy":
>"The function or power of a person authorized to act for another."
>
>
>- Both proxies and ALGs look at application layer data; that is,
> the data inside TCP/UDP etc...
Often application gateways *don't* look at the application data. See plug-gw.
>- The difference is that a proxy (usually) needs to be "ordered"
> to go do something for the client, this is the definition of
> the word "proxy". Proxies usually require client software support
> for proxies, and also require instructing the software which proxy
> host and type to use. An ALG operates transparently.
Usually require changes, true. Either in operation (telnet to the proxy and
tell it to telnet to the destination) or configuration (setup your browser
to use this proxy..). Application gateways usually connect fixed endpoints,
so they don't require reconfiguration.
>- Unfortunately, many firewall vendors erronously claim Proxy abilities
> when it is really ALG capabilities. Not that it makes their product
> any less secure, it's just unfortunate that they do :-)
Yep. See plug-gw again. It'll stop someone from DOSing your clients, which
an all-singing-all-dancing filter won't do. But it doesn't look at the
transaction between the endpoints, which limits what it can do.
>- To further add to the confusion, a "transparent proxy" is a
> contradiction in terms, people talking about those are usually
> referring to ALGs.
There are plenty of transparent proxies - real, protocol-aware proxies -
that aren't application gateways. Your 'contradiction' comes from your
inaccurate definition of what a proxy is. (I.e. it's only a proxy if you
have to reconfigure to use it.)
>About security:
>
>- Conceptually, Proxies and ALGs are EQUALLY SECURE.
> No, this is _not_ just an opinion of mine. It is a statement of fact.
> However, keep in mind: the same way that poorly written proxies
> add next to no security, also holds true for poorly written ALGs.
Clearly, your 'fact' is correct only if all proxies are application
gateways. Let's pick an example - a sql proxy that looks at every packet to
make sure the protocol is being followed (reasonable message lengths, in
range command types, correct destinations, etc.) You can't be arguing that
a simple plug with no intelligence is 'equally secure'?
>Now. How does Stateful Inspection fit into this picture? Simple:
>
>- In order to be able to do Application Level Filtering, you need
> to keep track of the connections and packet ordering. Hence,
> Stateful Inspection is a prerequisite for ALGs.
I missed this leap of logic entirely. Does that mean that Checkpoint's
patent on Stateful Inspection is invalid due to the prior art (like mjr's
work on the DEC firewall product?) I think not..
>How do I know if I have a Proxy or an ALG?
>
>- Try telnetting to the inside of your mystery box, port 80.
> If you don't get a connect, it's most likely an ALG.
> Type "GET http://www.somedomain.com/ HTTP/1.0".
> If you get the HTML page from somedomain.com, it is a proxy,
> otherwise, it's most likely an ALG.
OH! I see! You're confusing a *web* proxy the the generic term 'proxy'. Of
course, your test fails when the web proxy decides to deny your access..
>Lastly, remember that there are products that combine both proxying and
>application level filtering.
Just about every one of the major firewall products are hybrid. Some are
reluctant to admit that, some are more honest.
-Rick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
