Re: question about proxy firewall

To: Haim Ashkenazi <haim@babysnakes.org>
Cc: debian-security@lists.debian.org
Subject: Re: question about proxy firewall
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Fri, 26 Sep 2003 20:09:14 +0200
Message-id: <[🔎] 20030926180914.GA15579@dat.etsit.upm.es>
In-reply-to: <[🔎] bkup09$4ru$1@sunsite.dk>
References: <[🔎] bkup09$4ru$1@sunsite.dk>

On Thu, Sep 25, 2003 at 04:02:01PM +0300, Haim Ashkenazi wrote:
> Hi
> 
> I've read an article about FreeBSD which made me read some parts of the
> FreeBSD docuemtations. in the firewall section there is a short description
> about proxy firewalls. I've made some more searching and found a "free"
> product called "TIS" which provide this functionality (which I thought was
> only available on costly commercial products like checkpoint). a little

Just FYI, TIS was the company founded by Marcus Ranum which provided the
firewall toolkit (see www.fwtk.org). The FWTK was the basis for the first
commercial firewall: Gauntlet [1]. FWTK is not "free" in any sense, see
http://www.fwtk.org/fwtk/download/downloading.html#1.3

Also, Checkpoint is not a proxy firewall (but it is starting to become like 
one with this new 'Application Intelligence' stuff)

> more searching got me to products available to linux (like dante), but in
> their documentations I've read that it is used mainly for outgoing traffic.
> 
> I know very little about this subject, so I was wondering, is there a
> product for linux that provide some more security for incoming traffic
> (instread of just sophisticated filtering).

You might want to take a look at Zorp
(www.gnu.org/directory/security/firewall/zorp.html) which provides a
framework for developing proxies with filtering (i.e. a proxy firewall) in
Python. And, of course, it's packaged in Debian.

You can still build a "firewall proxy" without things like fwtk or Zorp but 
it's kind of a "do-it-yourself" thing: take a set of proxies ('apt-cache 
search proxy') such as squid, dircproxy, ftp-proxy, pdnsd, perdition, 
smtpd, xfwp,  and simpleproxy, install them on a bastion host, configure 
each tool to implement your security policy by filtering within each of the 
proxies, code filters in those proxies that do not implement them, etc.

Regards

Javi

[1] Googling I've found a nice article which describes this better
"Firewalls and Internet Security, the Second Hundred (Internet) Years" by 
Frederick Avolio, available at a number of places including 
http://www.spirit.com/CSI/Papers/fw2hundred.html

Attachment: pgpkbZW9fr1ZI.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: question about proxy firewall
  - From: rsnyder@toontown.erial.nj.us (Bob Snyder)
- Re: question about proxy firewall
  - From: Haim Ashkenazi <haim@babysnakes.org>

References:
- question about proxy firewall
  - From: Haim Ashkenazi <haim@babysnakes.org>

Prev by Date: Re: services installed and running "out of the box"
Next by Date: Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)
Previous by thread: Re: question about proxy firewall
Next by thread: Re: question about proxy firewall
Index(es):
- Date
- Thread