[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:SEAL
Moderator:GALVIA::SMITH
Created:Mon Mar 21 1994
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:1989
Total number of notes:8209

1754.0. "AV Firewall PROXY any & ALL TCP-based application?" by TENNIS::KAM (AltaVista Software 714/261-4133 DTN 535.4133) Sat Feb 01 1997 03:38

    Is it possible to configure the AltaVista Firewall to PROXY any and ALL
    TCP-based applications?  A customer is using, I think they indicated a
    Blackstone Firewall product, that allows this type of capabilities.
    
    I think the Blackstone Firewall product is a dynamic packet filtering
    architecture, which I believe allows this flexibility.
    
    Can the AltaVista Firewall do this?
    
    	Regards,
T.RTitleUserPersonal
Name		DateLines
1754.1BIGUN::nessus.cao.dec.com::MayneWake up, time to dieSun Feb 02 1997 16:595
You can create generic proxies for any TCP connection you like.

If you mean "create a proxy for anything on the fly", where's the security?

PJDM
1754.2TENNIS::KAMAltaVista Software 714/261-4133 DTN 535.4133Mon Feb 03 1997 00:4313
    Yes, create a proxy for any tcp-based application.  I'm assuming this
    is what possible with a 'packet filtering' router/firewall - protocol
    filtering.  Customer has this now and considers it a trade-off in
    flexibility vs. security.  We're trying to convince them otherwise.
    
    Customer has a firewall based on a 'dynamic packet filtering'
    architecture.  Any thoughts on this vs. an application-level gateway?
    It seems to have better flexibility than the applications gateways and 
    offers better security than the straight packet filters.
    
    
            Regards,
1754.3BIGUN::nessus.cao.dec.com::MayneWake up, time to dieMon Feb 03 1997 01:123
What does dynamic packet filtering do?

PJDM
1754.4TENNIS::KAMAltaVista Software 714/261-4133 DTN 535.4133Tue Feb 04 1997 02:0822
Some Packet filtering implementations have the capabilities of "remembering"
outgoing UDF packets that they have seen.  They can then allow only
corresponding packets back in through the filtering mechanism.  The router,
in essence, had the ability to modify the filtering rules on the fly to
accomodate returning packets.  The rules created are time-limited; they only
last a few seconds or minutes.  Dynamic packet filtering is used for any
situation in which the packet filtering rules change without somebody
explicitly changing the configuration in the router.

Checkpoint, Blackhole, SecureConnect Router, and karlBridge/KarlRouter are a
few examples of companies using this technology.  It appears that this is the
way the industry, Router philosophy, are moving.

I believe that some companies are modifying their dynamic packet filtering
firewalls to operate at the application-level e.g., ftp.  Checkpoint I believe
allows this. 

There was some information about this in the June 1996 issue of LAN Times.  It
was a special Internet issue.  I think this is where I read this.

	Regards,