Actually the Symantec Enterprise Firewall (old Axent Raptor) does a fair
amount of protocol verification, such as HTTP command conformance, causing
problems for people who try to shove new commands past it (WEBDAV
anyone).
It managed to catch most of the Nimda attacks on our servers as well, by
finding illegal characters in GET parameters.
It also has caused problems for people trying to shove raw binary through
HTTPS since it checks for full setup/take-down process.
There was recent traffic on Raptor list about the new version 7 blocking
mail that didn't conform to ESMTP syntax (it rejected address without <>
around it).
Notice that the problem for many sysadmins is too much security, not too
little. Many systems have been " dumbed down" because of this.
But you are correct that the relative inflexibility of a proxy firewall
compared to a stateful inspection one creates problems in a security
segmented network. I would not recommend a proxy for that use, but I
wouldn't recommend a stateful inspection FW for protecting a large number
of unhardened corporate Windows98 desktops in the internal network from
raw Internet attacks, although that is its biggest use.
My original reply to the question about moving Gauntlet to FW-1 did not
imply superiority of proxy firewalls to stateful inspection, just that the
trade-offs in use are different and that there is no simple rule
conversion technique since a proxy will handle some security features
implicitly that have to be explicit in FW-1. Each form of firewall has its
correct usage, but they can't be substituted one for the other,
willy-nilly.
Proxy firewalls perhaps are more susceptible to attacks ON the firewall
rather than through it, but I don't know of any reports of proxies
breached themselves because most proxy firewall installations harden the
host when they are installed.
There are reports of breaches on FW-1 as well, since it normally runs on a
general purpose host.
The implicit NAT created by the double session sometimes can cause
problems, especially with SMTP and spam.
If you use a proxy firewall in front of a MTA that judges local mail by
source IP of server, it will find that all mail comes from a local
connection, allowing relaying. I found that the Gauntlet SMTP was
susceptible to this a few years ago when I had to help a related
organization get of the ORBS blackhole list.
Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239
Mikael Olsson <[EMAIL PROTECTED]>
04/05/02 10:02 AM
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: Proxy vs stateful... oh no, not again :) (Was: Re: Migration
from Gauntlet
5 to Firewall-1)
[EMAIL PROTECTED] wrote:
>
> Proxy firewalls create a new sessions for a connection. One session is
> between client and firewall; the second is between firewall and server.
This is all true and good.
> It then examines the session for conformance to the RFC's, normalizes
> character sets, catches buffer overflows etc..
C>N@K *cough*
PLEASE give me an example of a proxy firewall that actually DOES
all of this for even one single protocol, let alone for more
than one protocol.
> preventing sequence number attacks, fragmentation attacks etc.
> so is better than stateful inspection.
Except of course for attacks that could "only" result in DoS,
and take down the proxy firewall with it (since they tend to
live on full-blown multi-user OS:es like Solaris, NT, etc),
rather than just "some" machines behind a stateful inspection
firewall that does not know to protect against things like this.
(Although this argument is getting somewhat old now, since
stateful inspection firewalls in general catch atleast most
of these attacks, and proxy firewalls are immune to them
as long as the administrator remembers to apply the latest
OS security patches.)
Can I counter some now? :)
Please show me how to divide a corporate network, with
multiple publically accessible servers with different
security ratings, and with back-end servers accessible
from said servers, into ... oh, let's say fifty different
security zones, using any proxy firewall available today.
(I myself lean towards designing networks with one such
server per firewalled segment. It makes for very nice
defense in depth and damage control.)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
