Re: question about proxy firewall
[EMAIL PROTECTED] wrote: The point of a protocol-proxy is that you want to provide services to the outside world, but you don't trust your server software to be robust against protocol-level attacks (buffer overflows, primarily). Since one of the points of Debian is to fix bugs in software, that's not particularly a direction that's interested anyone recently. well, there were threads in this mailing list about breaking into an updated woody hosts, so I guess that another layer of security couldn't harm... However, the tools are in place to build your own. Generically, any protocol can be diverted to another program by the packet filtering system; it's trivial to send things on to other computers, too. There are lots of HTTP, FTP, SMTP, DNS, X... proxies available, some of which have been built with security in mind and others with other goals. Look at packages simpleproxy, stone, totd, squid, xfwp, and in fact everything you get from an apt-cache search proxy. thanx Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about proxy firewall
On Thu, Sep 25, 2003 at 04:02:01PM +0300, Haim Ashkenazi wrote:
Hi
I've read an article about FreeBSD which made me read some parts of the
FreeBSD docuemtations. in the firewall section there is a short description
about proxy firewalls. I've made some more searching and found a free
product called TIS which provide this functionality (which I thought was
only available on costly commercial products like checkpoint). a little
Just FYI, TIS was the company founded by Marcus Ranum which provided the
firewall toolkit (see www.fwtk.org). The FWTK was the basis for the first
commercial firewall: Gauntlet [1]. FWTK is not free in any sense, see
http://www.fwtk.org/fwtk/download/downloading.html#1.3
Also, Checkpoint is not a proxy firewall (but it is starting to become like
one with this new 'Application Intelligence' stuff)
more searching got me to products available to linux (like dante), but in
their documentations I've read that it is used mainly for outgoing traffic.
I know very little about this subject, so I was wondering, is there a
product for linux that provide some more security for incoming traffic
(instread of just sophisticated filtering).
You might want to take a look at Zorp
(www.gnu.org/directory/security/firewall/zorp.html) which provides a
framework for developing proxies with filtering (i.e. a proxy firewall) in
Python. And, of course, it's packaged in Debian.
You can still build a firewall proxy without things like fwtk or Zorp but
it's kind of a do-it-yourself thing: take a set of proxies ('apt-cache
search proxy') such as squid, dircproxy, ftp-proxy, pdnsd, perdition,
smtpd, xfwp, and simpleproxy, install them on a bastion host, configure
each tool to implement your security policy by filtering within each of the
proxies, code filters in those proxies that do not implement them, etc.
Regards
Javi
[1] Googling I've found a nice article which describes this better
Firewalls and Internet Security, the Second Hundred (Internet) Years by
Frederick Avolio, available at a number of places including
http://www.spirit.com/CSI/Papers/fw2hundred.html
pgp0.pgp
Description: PGP signature
Re: question about proxy firewall
On Fri, Sep 26, 2003 at 08:09:14PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: Just FYI, TIS was the company founded by Marcus Ranum which provided the firewall toolkit (see www.fwtk.org). The FWTK was the basis for the first commercial firewall: Gauntlet [1]. FWTK is not free in any sense, see http://www.fwtk.org/fwtk/download/downloading.html#1.3 Founded by Stephen T. Walker, I think, although mjr was one of/the author of FWTK. The only Google refernce I can find to his title was Engineering Manager. Marcus went on to V-One, followed by founding Network Flight Recorder. The early FWTK was free in the sense of free beer, and came with source. That changed with later releases of the code. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about proxy firewall
In article [EMAIL PROTECTED] you wrote: The point of a protocol-proxy is that you want to provide services to the outside world, but you don't trust your server software to be robust against protocol-level attacks (buffer overflows, primarily). It is also the other way around. Clients which you cant trust to be stable enough. Typical example are web browsers which display ActiveX. Since one of the points of Debian is to fix bugs in software, that's not particularly a direction that's interested anyone recently. This is not true for Organisations running Desktops by a commercial vendor and Firewalls based on Debian. However, the tools are in place to build your own. Generically, any protocol can be diverted to another program by the packet filtering system; A small List can be found on http://www.freefire.org/, but it is not Debian specific. Look at packages simpleproxy, stone, totd, squid, xfwp, and in fact everything you get from an apt-cache search proxy. ... and I may need to add some of these :) Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about proxy firewall
On Fri, Sep 26, 2003 at 08:09:14PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: Just FYI, TIS was the company founded by Marcus Ranum which provided the firewall toolkit (see www.fwtk.org). The FWTK was the basis for the first commercial firewall: Gauntlet [1]. FWTK is not free in any sense, see http://www.fwtk.org/fwtk/download/downloading.html#1.3 Founded by Stephen T. Walker, I think, although mjr was one of/the author of FWTK. The only Google refernce I can find to his title was Engineering Manager. Marcus went on to V-One, followed by founding Network Flight Recorder. The early FWTK was free in the sense of free beer, and came with source. That changed with later releases of the code. Bob
Re: question about proxy firewall
Javier Fernández-Sanguino Peña wrote: Also, Checkpoint is not a proxy firewall (but it is starting to become like one with this new 'Application Intelligence' stuff) well, as I said I know very little about that, but someone told me that some commercial firewalls work at the application level (for incoming traffic). I don't know if this is exactly the same... You might want to take a look at Zorp (www.gnu.org/directory/security/firewall/zorp.html) which provides a framework for developing proxies with filtering (i.e. a proxy firewall) in Python. And, of course, it's packaged in Debian. thanx, I've already started reading about it. Bye -- Haim
Re: question about proxy firewall
In article [EMAIL PROTECTED] you wrote: The point of a protocol-proxy is that you want to provide services to the outside world, but you don't trust your server software to be robust against protocol-level attacks (buffer overflows, primarily). It is also the other way around. Clients which you cant trust to be stable enough. Typical example are web browsers which display ActiveX. Since one of the points of Debian is to fix bugs in software, that's not particularly a direction that's interested anyone recently. This is not true for Organisations running Desktops by a commercial vendor and Firewalls based on Debian. However, the tools are in place to build your own. Generically, any protocol can be diverted to another program by the packet filtering system; A small List can be found on http://www.freefire.org/, but it is not Debian specific. Look at packages simpleproxy, stone, totd, squid, xfwp, and in fact everything you get from an apt-cache search proxy. ... and I may need to add some of these :) Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
question about proxy firewall
Hi I've read an article about FreeBSD which made me read some parts of the FreeBSD docuemtations. in the firewall section there is a short description about proxy firewalls. I've made some more searching and found a free product called TIS which provide this functionality (which I thought was only available on costly commercial products like checkpoint). a little more searching got me to products available to linux (like dante), but in their documentations I've read that it is used mainly for outgoing traffic. I know very little about this subject, so I was wondering, is there a product for linux that provide some more security for incoming traffic (instread of just sophisticated filtering). thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about proxy firewall
On Thu, Sep 25, 2003 at 04:02:01PM +0300, Haim Ashkenazi wrote: I've read an article about FreeBSD which made me read some parts of the FreeBSD docuemtations. in the firewall section there is a short description about proxy firewalls. I've made some more searching and found a free product called TIS which provide this functionality (which I thought was only available on costly commercial products like checkpoint). a little more searching got me to products available to linux (like dante), but in their documentations I've read that it is used mainly for outgoing traffic. I know very little about this subject, so I was wondering, is there a product for linux that provide some more security for incoming traffic (instread of just sophisticated filtering). The point of a protocol-proxy is that you want to provide services to the outside world, but you don't trust your server software to be robust against protocol-level attacks (buffer overflows, primarily). Since one of the points of Debian is to fix bugs in software, that's not particularly a direction that's interested anyone recently. However, the tools are in place to build your own. Generically, any protocol can be diverted to another program by the packet filtering system; it's trivial to send things on to other computers, too. There are lots of HTTP, FTP, SMTP, DNS, X... proxies available, some of which have been built with security in mind and others with other goals. Look at packages simpleproxy, stone, totd, squid, xfwp, and in fact everything you get from an apt-cache search proxy. -dsr-
