So you feel that proxies provide 100% security just because the
outside user never has "direct" contact with the internal server?
That isn't what he wrote. You made to broad a jump here.
A proxy with application level filtering capabilities (let's not start
on plug-gw here) can only protect against attacks known to the developer
of the proxy. MJR posted a note on this recently.
Specifically, yes, but there are a whole set of threats that cannot easily (or at all in some cases) be exploited if there is no direct network connection. All of this has been written up in the literature going back 6 years, so I won't rehash it here. A packet filter may make the internal network more vulnerable to attack than an application gateway. This hasn't changed over the years.
If your server is sitting on the internal network, this also means that
your entire internal network is toast.
Your entire internal network may be toast. :-)
Having the data passed from the external network to the server is
"direct connection enough" for these kinds of attacks; they're not
network-layer based any more.
Absolutely. But there are threats that are network based. An application gateway can provide more protection.
> ... The outside user
> actually talks directly with your server. Most people use a DMZ because the
> outside user is actually connected to your server and if he can compromise
> it (s)he is IN your network.
As I showed above, this holds equally true in the case of proxies.
While it is true that some attacks work whether there is a direct network connection, there are attacks that will not, or are more difficult. Making some attacks "more difficult" is often sufficient.
I'm not trying to endorse fw-1 over gauntlet or the other way around,
I'm just saying that proxies with application filtering capabilities
doesn't buy you as much as a lot of people like to think.
And all I am injecting into the discussion is that application gateways can provide more security than a filter. That is to say, I agree with Mikael in spirit, but I think he's gone to far in the opposite direction. :-)
Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911
(fax)
