Greetings back at ya <smile>!
On Wed, 23 May 2001, Volker Tanger wrote:
> Greetings!
>
> Ron DuFresne schrieb:
>
> > On Tue, 22 May 2001, Volker Tanger wrote:
> > > (Transparent) application proxies read the request and open a brand new
> > > connection to the target IP address by themselves. With this IP-based
> > > attacks (e.g. weird IP flags) always stop at the firewall. In most cases
> > > (specialized) application proxies are more secure as they test (much)
> > > more parameters on the application layer. Checking host names or email
> > > addresses for overly long parts or disallowed special characters should
> > > be handled accordingly. In addition to that a certain ammount of
> > > anonymization and masquerading on application level (e.g. header
> > > filering for SMTP and HTTP) is builtin. Examples: Raptor,
> > > TIS/Gauntlet
> > >
> >
> > Which, again, brings up an oft asked question, still left unanswered:
> > How deeply do application proxies actually look into the packets? What
> > degree do the majhor players go to to determine what is and is not
> > acceptable? How many actually look deeper then the packet headers? How
> > many look at more then the mere headers after the first packet or two?
>
> To make one general thing clear: proxies open a new connection and shovel over
> the data part of the session only. They do not pass packets - only the session
> data.
>
Thank you for the clarification!
> Most of them (esp. Raptor - I do not have enough experience with others) have
> a good look at the session headers (e.g. mail headers, HTTP headers and
> request lines) and compare them with the RFCs.
>
This still seems like fairly minimal checking of what is contained within
the application session data being passed.
> For example I learned from (Raptor-)blocked connections that Lotus Notes seems
> to like to embed weird (read: non-RFC) mail server addresses into the "From:"
> or "Received:" header lines - which leads Raptor to abort the SMTP connection
> with the "fake" originator address.
I recall this being an issue for some in posts before this discussion. If
I recall the way to deal with this was limited to turning off raptors
proxying for lotus notes smtp connections. Has lotus or the raptor folks
looked into resolving this issue as far as you or others are aware?
>
> The actual filtering and checks are - of course - implementationand product
> dependant.
>
It would be nice to see a writeup and comparison of the various proxies
and the depth and breath of how deeply and completely they go about their
business of filtering and checking for sure.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
