On Fri, Jan 26, 2001 at 05:43:40PM -0600, Ron DuFresne wrote:
> Undertood, and agreed, yet, what about proxies?
It is actually for a programmer more easy to write a user space proxy which
will examine the traffic passing through it. But still you wont find a lot
of applicatio proxies which are good in catching malicious data. One of the
reasons is, that most of the time a (according to the protocol) perfectly
well input data would cause damage hitting a special server (like for
example email address with !). Therefore the writer of the proxy needs to
restrict the protocol and needs a good understand what could be a problem.
One good example is the tore+Forward Proxy from the TIS Toolkit. It was
unable to catch Mime Overflows because it was not even Analysing the Body of
a mail.
It is the same for packet filters. The recent ECN is sa good example. The
"Reserved" bits of ip packets where defined to "must be zero" by the old
RFC. A lot of firewalls, like PIX are now dropping packets which have those
bits set, because they ca not know what kind of harm they will do to the
target. Of course those reserved bits are recently used for Congestion
Notification, used by ore advanced Operating Systems. Thats the reason why
some users wont be able to access PIXed Sites (like Hotmail) any more... bad
luck... but since Cisco will add generating ECN packets soon to their
routers all companies offering services to the internet will be forced to
upgrade the firewalls.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
