mouss wrote:
>
> Graham Wheeler wrote
> >
> > Ah, but a stateful filter can also block content (not by removing it,
> > but simply by renaming the tags in the packets, for example by changing
> > the first character). It's harder to do, as the data stream isn't
> > necessarily in-order, but it's been done.
>
> a filter can do anything, but development cost is considerable.
> parsing non contiguous kernel memory buffers is a lot of pain and is
> a source of bugs.
>
> actually, the difference between a filter and a proxy is not that one
> is kernel based (or stack based) and the other user based, since any
> functionality
> that may coded in user-land may be coded in kernel-heaven and vice-versa.
Quite so - we allow both proxy and SPF access to services, and our SPF
code runs in user-land after binding to the NICs below the TCP/IP stack.
> It's actually a lot easier to `filter' active content by renaming than
> > by actually removing it.
>
> The problem with the renaming approach is that the user can set up a proxy
> that replaces any
> unknown tag by say <script> or </script> (alternatively and depending on
> context...).
Ah, you've just made me feel a bit better about all the work I put in in
stripping the stuff out 8-)
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
