folx,
what seems to be missing in this discussion (most of which is dead on) is
that most application-level proxies don't do *any* analysis of the
protocol they are proxying for. they are simply copying data from one
port on one connection to anther port on an associated connection.
the reason for this is clearly the increase in the number and variability
of protocols in the last few years.
the http case is a good example of a protocol that many think cannot be
appropriately analysed by a proxy. there are so many protocols that ride
inside of http (remember pointcast over http?) that any attempt to try to
do real analysis and sanity checking looks doomed.
this issue poses real problems for stateful packet filters as well as
application-level proxies, though. SPFs just decline (mostly) to deal
with the situation explicitly; proxies decline to deal with it implicity
but leave many with the impression that they are more secure.
todd underwood
[EMAIL PROTECTED]
On Thu, 13 Apr 2000, Paul D. Robertson wrote:
> <soapbox height++>
>
> Just because new protocols exist *doesn't* mean you have to let them
> through the firewall.
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
