IPP Mail Archive: RE: IPP> Notifications

RE: IPP> Notifications

Carl Kugler (kugler@us.ibm.com)
Thu, 5 Feb 1998 15:48:34 -0500

Randy-

By "proxy", I mean "proxy server", specifically "application-level prox=
y
server" or "gateway": a server that receives requests intended for ano=
ther
server and that acts on the client's behalf (as the client's proxy) to =
obtain
the requested service. These are high-end firewall devices that operat=
e at the
upper levels of the protocol stack (i.e., all the way up to the applica=
tion
layer), providing the highest level of protection available today. The=
proxy
server changes the IP address of the client packets to essentially hide=
the
internal client to the Internet, then it acts as a proxy agent for the =
client
on the Internet. In some cases (e.g., SGI Guantlet), a proxy server is =
required
for each protocol on a gateway. For example, one is required for HTTP r=
equests,
another for FTP requests, and so on. Circuit-level gateways (e.g., SOC=
KS,
rfc1928) provide a controlled network connection between internal and =
external
systems. A virtual "circuit" exists between the internal client and th=
e proxy
server. Internet requests go through this circuit to the proxy server, =
and the
proxy server delivers those requests to the Internet after changing the=
IP
address. External users only see the IP address of the proxy server. Re=
sponses
are then received by the proxy server and sent back through the circuit=
to the
client. While traffic is allowed through, external systems never see th=
e
internal systems. In general the only packets allowed back through a =
proxy
server are those that return responses to requests from inside the fire=
wall.

I think the type of firewall you're discussing is the router based pack=
et
filtering type (screening router), which works in the lower layers of t=
he
network protocol stack. It would be interesting to know the install ba=
se of
the various types of firewalls. I know here at IBM we use proxy server=
s (now
mostly SOCKS gateways, formerly mostly application proxies).

If use a protocol other than HTTP as a transport for realtime asynchron=
ous
notification, won't we lose the advantages that we gained by chosing HT=
TP in
the first place?

-Carl

ipp-owner@pwg.org on 02/05/98 10:44:30 AM
Please respond to ipp-owner@pwg.org @ internet
To: ipp@pwg.org @ internet
cc:
Subject: RE: IPP> Notifications

I'm not sure what "proxy" means in this context. I'm assuming for the
purposes of realtime asynchronous notification that we would not be
using HTTP as a transport, so any issues surrounding HTTP proxies would=

be moot. Are we talking about some other type of proxy?

In my experience, UDP wasn't the problem with NFS mounts over the
internet. Rather, its just too easy to hack NFS UID-style
authentication. Especially with SUNOS systems that had the annoying
habit of including a "nobody" user UID in the default /etc/passwd file.=

This "well-known" UID pair was used by hackers to mount attacks on the=

"/" root partition, retrieving a sites /etc/passwd file, and then
locally running "crack" on their system until they had the root
password. This problem was exascerbated because administrators were too=

lazy configuring their "exports" file by including the "/" partition,
and not restricting mounts to this partition to specific hosts only.

Also, NFS these days uses TCP as well, for both NFSv2 and NFSv3, at
least on Sun SunOS/Solaris systems.

Randy

-----Original Message-----
From: Carl Kugler [SMTP:kugler@us.ibm.com]
Sent: Thursday, February 05, 1998 8:11 AM
To: ipp@pwg.org
Subject: RE: IPP> Notifications

But... Proxies don't open up TCP or UDP pipes. Proxies pass
nothing through.
Everything gets pulled up to the application level and then
resent. Much more
secure that way.

Also, note that very few corporate firewalls are configured to
let NFS
through. That's partly because NFS is UDP-based and can't be
securely
controlled.

-Carl

ipp-owner@pwg.org on 02/04/98 08:17:53 PM
Please respond to ipp-owner@pwg.org @ internet
To: masinter@parc.xerox.com @ internet
cc: ipp@pwg.org @ internet
Subject: RE: IPP> Notifications

I am speaking about our specific installation of Checkpoint
Firewall-1,
from which Cisco and a number of other vendors have licensed
technology

=