Bennett Todd wrote:
>
> 2000-05-30-04:35:09 Graham Wheeler:
> > Why should it be such a large amount of work for everyone except
> > Gauntlet? I don't understand your reasoning here.
>
> That was mostly a sideways reference to the periodic claims by fans
> of "stateful packet filtering" that by writing enough of the IP and
> application stack in their stateful rules they could do anything
> that an application proxy does. I wasn't thinking about the
> possibility that there might be other application proxies available
> that strip active content.
Ah, but a stateful filter can also block content (not by removing it,
but simply by renaming the tags in the packets, for example by changing
the first character). It's harder to do, as the data stream isn't
necessarily in-order, but it's been done.
It's actually a lot easier to `filter' active content by renaming than
by actually removing it. I wrote the code in our application proxy that
removes such content, and it was quite a challenge. I kicked myself
afterwards when I realised I could have just used renaming.
g.
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
