CID: Firewalls [7:25757]
Hi Group, I a little confused about osi layers at different types of firewalls work (proxy, packet filters and stateful firewalls). Can any body help with that. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25757&t=25757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewalls [7:25757]
John, The question is not as simple as it seems. Over the past 3-4 years the terms "proxy" and "stateful filtering" have been considerably "vendorized" so that what one vendor or person refers to as a "proxy" may not be exactly the same as what another vendor or person refers to. Ditto for "stateful filtering". The easy one first. Packet filtering, sometimes called non-stateful filtering, works up through layer 4. You can filter on IP address, TCP or UDP port numbers and some limited TCP flags. (such as the SYN or ACK bit) If a filter can do more than this, its probably a stateful filter. The idea behind a proxy server is that a proxy server acts as a server to a trusted client and as a client to an untrusted server. In transparent mode, both the trusted client and the untrusted server believe they are talking to each other and are unaware that there is a 3rd party, the proxy, involved. In non-transparent mode, at least the client is aware of the proxy although the server may not be. Some applications can be proxied transparently, other can be but require additional software, some are very difficult to proxy transparently. Since proxies must support the actual application used, it works through all 7 layers. The basic idea is that since the proxy actually terminates the connection on both the client side and the server side, it can inspect and reject any portion of the application that does not conform to certain rules defined by the site implementing the proxy. While this works well in theory, in reality a true proxy can be problematic and may not be any more secure than other methods such as SPF. (more on this in a minute) Stateful filtering generally implies inspecting a packet at least up through layer 4, but not necessarily beyond that. Strictly speaking, a SPF must be aware of the way an app uses ports, but its arguable whether this is layer 7 awareness. For example, an SPF must understand that FTP opens a back-channel connection. Some SPF's examine the FTP PORT command to see which port the reverse connection should originate from. This could be called layer 7 since you must look at the actual FTP commands. In general, the layer at which the SPF operates depends on the application used and the vendors implementation. For common apps, an SPF implementation may have limited functionality at layer 7, but for uncommon apps it is probably functioning more at layer 4 and just maintaining "state". (IP src/dst, TCP src/dst, etc) It is generally believed that a true proxy is more secure than SPF. The idea being that a proxy is "forced" to look at all 7 layers. This is not exactly true. A proxy must terminate an application, but if an app is not well known, it is typical for the proxy to use a "plug gateway" and simply take the data from the server and give it to the client and vice versa. Even for well-known apps, it is difficult to determine what may or may not be "dangerous" content and typically a proxy will just block application commands that are erroneous or malformed although more options may be available for well-known apps. Additionally, there is no technical reason why a SPF cannot look at the data portion of a packet, in fact most SPF implementations look at the data portion of some well-known apps and allow limited filtering. (i.e blocking FTP get or put requests) On top of all this, some SPF implementations have limited true proxy abilty (i.e. Checkpoint) and some proxy implementations have some SPF ability (i.e. Gauntlet). That's a bit of a long-winded answer, but the skinny of all this would be: packet filter - layer 4 SPF - layer 4-7 depending on app proxy - layer 7 (but may not _examine_ layer 7 info depending on app, so may really be only looking at layer 4 info) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Tafasi Sent: Saturday, November 10, 2001 8:50 PM To: [EMAIL PROTECTED] Subject: CID: Firewalls [7:25757] Hi Group, I a little confused about osi layers at different types of firewalls work (proxy, packet filters and stateful firewalls). Can any body help with that. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25999&t=25757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewalls [7:25757]
Thank you Kent for the elaborate answer. I realy appreciate it. John ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > John, > > The question is not as simple as it seems. Over the past 3-4 years the > terms "proxy" and "stateful filtering" have been considerably "vendorized" > so that what one vendor or person refers to as a "proxy" may not be exactly > the same as what another vendor or person refers to. Ditto for "stateful > filtering". > > The easy one first. Packet filtering, sometimes called non-stateful > filtering, works up through layer 4. You can filter on IP address, TCP or > UDP port numbers and some limited TCP flags. (such as the SYN or ACK bit) > If a filter can do more than this, its probably a stateful filter. > > The idea behind a proxy server is that a proxy server acts as a server to a > trusted client and as a client to an untrusted server. In transparent mode, > both the trusted client and the untrusted server believe they are talking to > each other and are unaware that there is a 3rd party, the proxy, involved. > In non-transparent mode, at least the client is aware of the proxy although > the server may not be. Some applications can be proxied transparently, other > can be but require additional software, some are very difficult to proxy > transparently. > > Since proxies must support the actual application used, it works through all > 7 layers. The basic idea is that since the proxy actually terminates the > connection on both the client side and the server side, it can inspect and > reject any portion of the application that does not conform to certain rules > defined by the site implementing the proxy. > > While this works well in theory, in reality a true proxy can be problematic > and may not be any more secure than other methods such as SPF. (more on this > in a minute) > > Stateful filtering generally implies inspecting a packet at least up through > layer 4, but not necessarily beyond that. Strictly speaking, a SPF must be > aware of the way an app uses ports, but its arguable whether this is layer 7 > awareness. For example, an SPF must understand that FTP opens a > back-channel connection. Some SPF's examine the FTP PORT command to see > which port the reverse connection should originate from. This could be > called layer 7 since you must look at the actual FTP commands. In general, > the layer at which the SPF operates depends on the application used and the > vendors implementation. For common apps, an SPF implementation may have > limited functionality at layer 7, but for uncommon apps it is probably > functioning more at layer 4 and just maintaining "state". (IP src/dst, TCP > src/dst, etc) > > It is generally believed that a true proxy is more secure than SPF. The > idea being that a proxy is "forced" to look at all 7 layers. This is not > exactly true. A proxy must terminate an application, but if an app is not > well known, it is typical for the proxy to use a "plug gateway" and simply > take the data from the server and give it to the client and vice versa. > Even for well-known apps, it is difficult to determine what may or may not > be "dangerous" content and typically a proxy will just block application > commands that are erroneous or malformed although more options may be > available for well-known apps. Additionally, there is no technical reason > why a SPF cannot look at the data portion of a packet, in fact most SPF > implementations look at the data portion of some well-known apps and allow > limited filtering. (i.e blocking FTP get or put requests) > > On top of all this, some SPF implementations have limited true proxy abilty > (i.e. Checkpoint) and some proxy implementations have some SPF ability (i.e. > Gauntlet). > > That's a bit of a long-winded answer, but the skinny of all this would be: > > packet filter - layer 4 > SPF - layer 4-7 depending on app > proxy - layer 7 (but may not _examine_ layer 7 info depending on app, so may > really be only looking at layer 4 info) > > HTH, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > John Tafasi > Sent: Saturday, November 10, 2001 8:50 PM > To: [EMAIL PROTECTED] > Subject: CID: Firewalls [7:25757] > > > Hi Group, > > I a little confused about osi layers at different types of firewalls work > (proxy, packet filters and stateful firewalls). Can any body help with that. > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26018&t=25757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
