a common topic out here from time to time, last time it was hot here,
wasn't the concensus that most proxies do little more then pass streams
mostly unchecked and unverified?
Thanks,
Ron DuFresne
On Thu, 13 Apr 2000, Luff, Darryl wrote:
> Hi Aza,
>
> Application proxy's CAN be more secure for a couple of reasons:
>
> - The proxy should interpret the contents of the packet (eg: read the HTTP
> GET commands) to ensure that they are valid. They CAN do checks to confirm
> that the contents of the packet conform to the appropriate RFC etc before
> passing the request to the internal server
>
> - Because the proxy terminates the connection from the client, and generates
> a new one from the proxy to the server, the actual IP packets from the
> client never pass through to the server. So if people play tricks with
> fragments or undocumented IP fields the internal server never sees them.
>
> A packet filter only works on port numbers. If you allow connections on port
> 80 through the firewall to your web server, the firewall will only check the
> source and destination IP addresses and port numbers, and allow the packet
> through. So if the packets have been intentionally fiddled with in some way
> the 'fiddled' packet will get to the server.
>
>
>
>
> > -----Original Message-----
> > From: Aza Goudriaan [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, April 13, 2000 5:01 PM
> > To: [EMAIL PROTECTED]
> > Subject: Packet Filtering vs. Proxy
> >
> > Hi,
> >
> > At this moment I'm configuring a firewall for my little test network (it
> > is
> > for educational reasons). The services I like to run are www and mail.
> >
> > 1. When reading abount packet filtering and proxies, everybody says that a
> > proxy gives more security than (stateful) packet filtering. Can you
> > explain
> > why?
> >
> > 2. When testing my server by online port scanners, I don't see any
> > difference when I turn on or off the firewall. Is it always necessary to
> > use
> > a firewall, when only using www (outbound; no webserver in network)? (I'm
> > using a Windows workstation and do www via a Novell NetWare 5 server,
> > running NAT). In that situation (only outbound www), there are no open
> > ports, aren't they? Then it's impossible to connect to any port on my
> > Novell-machine?
> >
> > Thanks in advance,
> > Aza Goudriaan,
> > student
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
