Greetings!
Ron DuFresne schrieb:
> On Tue, 22 May 2001, Volker Tanger wrote:
> > (Transparent) application proxies read the request and open a brand new
> > connection to the target IP address by themselves. With this IP-based
> > attacks (e.g. weird IP flags) always stop at the firewall. In most cases
> > (specialized) application proxies are more secure as they test (much)
> > more parameters on the application layer. Checking host names or email
> > addresses for overly long parts or disallowed special characters should
> > be handled accordingly. In addition to that a certain ammount of
> > anonymization and masquerading on application level (e.g. header
> > filering for SMTP and HTTP) is builtin. Examples: Raptor,
> > TIS/Gauntlet
> >
>
> Which, again, brings up an oft asked question, still left unanswered:
> How deeply do application proxies actually look into the packets? What
> degree do the majhor players go to to determine what is and is not
> acceptable? How many actually look deeper then the packet headers? How
> many look at more then the mere headers after the first packet or two?
To make one general thing clear: proxies open a new connection and shovel over
the data part of the session only. They do not pass packets - only the session
data.
Most of them (esp. Raptor - I do not have enough experience with others) have
a good look at the session headers (e.g. mail headers, HTTP headers and
request lines) and compare them with the RFCs.
For example I learned from (Raptor-)blocked connections that Lotus Notes seems
to like to embed weird (read: non-RFC) mail server addresses into the "From:"
or "Received:" header lines - which leads Raptor to abort the SMTP connection
with the "fake" originator address.
The actual filtering and checks are - of course - implementationand product
dependant.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
