Great Circle Associates Firewalls
(June 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Stateful Packet Filters vs. Proxies
From: Mike Jones <mike . jones @ unifiedtech . com>
Organization: Unified Technologies, Inc.
Date: Mon, 09 Jun 1997 15:01:13 -0400
To: firewalls @ GreatCircle . COM
References: <Pine . 3 . 89 . 9706091222 . A1891-0100000 @ onshore . com>

Craig Brozefsky wrote:
> On Mon, 9 Jun 1997, Mike Ordun wrote:
> > Have been following this discussion with a lot of interest as a
> reseller
> > of both SPF and proxy firewalls.  I happen to believe that both are
> > appropriate in different circumstances and customer need.
> Nevertheless, I
> > am a little troubled by the claims that SPFs are inherently
> > insecure.  Let me present a challenge.  Lets compare some specific
> > commercial offerings -- Firewall-1 in one corner representing SPF
> and say
> > Gauntlet, Raptor, or ANS in the other representing the proxy
> approach.
> > What I would like is some specific vulnerability that I cannot
> protect
> > myself from using the SPF as opposed to the proxy approach.  Again
> just
> > for emphasis, I am interested in specific vulnerabilities not just
> > restatement that in theory proxies are better because they deal with
> the
> > protocol at the application layer.  My somewhat cynical hypothesis,
> until
> > proven wrong with specific example, is that the majority of proxies
> are
> > really not better and in fact may be no more than an disguised SPF
> with
> > address translation.
> I gave an example earlier of smapd, and the capabilities it presents.

Let me continue to be a contrarian and claim that mail, like other
applications, should not necessarily be handled at all at the
firewall. A firewall is first and foremost an access control device,
and running an application (even a simple mail forwarder, like smap)
is not an optimal use of the firewall. I feel much the same way
about http proxying and filtering.
 
> How about strong authentication at the firewall?  Presenting a POP3
> interface that uses APOP?

How about strong authentication? Firewall-1 has offered SecurID
authentication for quite a while now. And I'd rather not have my
firewall present a POP3 interface at all, thank you. APOP or no
APOP, POP3 isn't exactly a model citizen as a protocol.
 
> Specific vulnerabilities include buffer overflows in your MTA allowing
> /bin/sh to be executed as that UID.  How about the IMAP and POP3 holes
> that were recently published.  You could not have exploited these on a
> application based IMAP or POP3 proxy.

You could not exploit them on an SPF, either, since it wouldn't be
running the MTA. This (to me) falls into the category of not 
neglecting security on internal systems just because you have
a firewall in place.
 
> Any buffer overlfow or other exploit that would involve the execution
> of
> /bin/sh(or other shell) via a overflow in a network accesable deamon
> (let's say your POP3 or sendmail deamon) would be foiled by an
> application level.  This assumes that it is a true application level
> proxy, like smapd for example from TIS.  The reson for this is that
> packets are not passed from the attacker to the victim via the
> firewall,
> rather the attacker has to interact with the firewall, and the
> firewall,
> then sends seeprate application level requests to the internal machine
> to
> perform the desired actions(assuming they fit wihtin the acceptable
> range
> of actions).

Actually, I think you have it backward. We find ourselves in the
enviable position of having most of our proxy-based firewalls 
written by good people who know what they're doing, thereby having
a lot of good proxies (smap being a fine example) to use as examples.
However, those proxies theoretically are prone to buffer overflow
attacks in the same way as the service daemons they're protecting
are. Since an SPF doesn't reassemble or interpret entire service
requests, it's immune to (for example) a buffer overflow attack
based on the way a particular SMTP command is interpreted.
 
> One thing to consider when it comes to application level proxies, is
> that
> not all may perform the same level of 'proxying' as I described
> above(generating their own application level requests within a
> approved
> range and then packaging the response to send to the original
> requestor).  Smapd does this on TIS, I am not sure if http-gw does.

I'd say that a proxy that doesn't do that is hardly worth the name.

--
	Mike Jones
	Sr. Technology Advisor
	UNIFIED Technologies


Follow-Ups:
References:
Indexed By Date Previous: TCP/IP Addressing Problems with FireWall
From: Andrew & Terri Forster <forster @ emirates . net . ae>
Next: robots.txt
From: Jonathan Tobin <dyabolyk @ columbia . digiweb . com>
Indexed By Thread Previous: Re: Stateful Packet Filters vs. Proxies
From: Craig Brozefsky <craig @ onshore . com>
Next: Re: Stateful Packet Filters vs. Proxies
From: Craig Brozefsky <craig @ onshore . com>

Google
 
Search Internet Search www.greatcircle.com