At 07:36 AM 3/1/00 +0100, Andreas Haug wrote:
>Reassembling the stream is not enough. Period. Any proxy which calls
>itself "Application Level" is required to get the whole picture. It has to
>know what is going on, why it is doing this or that, and what the security
>implication of it's doing are. This will never be 100%, but an
>"Application Level" proxy has to be very -- VERY -- close to 100%.
In your passion, I think you've over stated. I understand what you're
driving at, but you've redefined the term here.
What I would like to see (and this is able to be done, without
reinvention), is a description for each service that indicates the level of
analysis. There are some services that are so close to impossible to
analyze, that they might as well just be transport level (circuit)
gateways. Video streams come to mind Others (FTP), should be more closely
scrutinized.
>An WWW Application proxy should be able to see the page which it is about
>to deliver to the client. It should be able to strip any, all, and
>everything which could harm the client application.
Practically speaking, an application gateway can do this modulo "the
halting problem." So could a SI firewall. "Could" is the key word. Not all
firewalls of either type bother to do this.
>Trying to sell transport layer proxys by the name of application layer
>proxys might be more common than most people think. I can't prove it right
>here, but I have this feeling. I have this dream...
It is incredibly common. Which is why I'd like to see a more detailed
description in product descriptions. But, very few end customers actually
care about this.
Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
