[213] in WWW Security List Archive
CERN httpd proxy vs. SOCKS
daemon@ATHENA.MIT.EDU (hallam@cayenne.lcs.mit.edu)
Mon Nov 7 02:44:18 1994
From: hallam@cayenne.lcs.mit.edu
To: www-security@ns1.rutgers.edu
Date: Sun, 06 Nov 94 22:59:22 -0500
Reply-To: hallam@cayenne.lcs.mit.edu
Re the CERN server etc:
I think we have to re-examine what Ari and Kevin were up to.
basically they were doing proof of concept work designing the
proxy in the back of an existing library of code and a server
that Ari wrote much of the code for. As people have pointed out
the CERN proxy server is a non-trivial peice of code. It is
not what I would regard as a `security' proxy. I see it as a
prototype for something rather different, something that in the
long term will be very important for the Web as a whole.
As far as a security proxy goes have a look at the TIS proxy server. This
is a bare bones, stripped to the essentials security proxy. While I am
pretty confident that there is no trojan horse or other malicious stuff
in the CERN server it is 60,000 liness of code. I think the basic idea is
a good one though and the TIS people know what they are up to.
I could quite see a lot of people running the CERN server as a proxy
cache through the TIS firewall proxy. We have to be carefull here not to
get wrapped up in the emacs approach to software, trying to wrap
everything up in a single package that does everything. Sure that solves
the problems for 95% of the people but the other 5% have needs that can
only be met by stripping a system down and simplifying it - even at the
cost of functionality or performance. The Web marketplace is far too
large for any one product to be definitive. We should not be afraid to
make decisions based on the technical merits of the case thinking that
people may be upset by the revelation that one product or one group of
people have the solution to all problems.
As a case in point I think at some point someone is going to have to
develop a single purpose, limited functionality server specifically to
deal with very very large volume sites such as CERN, NCSA and the
Whitehouse.
On the specific question of SOCKs vs a proxy I much prefer the proxy
approach, or rather I like to see one in there even if it is Socksified
into the bargain. There are a number of issues where a proxy is really
needed. Socks can at best only protect you from attacks from unwellcome
hosts. It cannot provide protection against receving contaminated data
from a trusted host. Several Web document formats are programming
languages in their own right, postscript being an example. One of the
most regular `discoveries' by Web hackers is that `you can download and
execute shell scripts with one easy modification to the mailcap file'.
One role that a security proxy can play is to filter out such potentially
dangerous document types - or alternatively provide some sort of fallback
security mechanism such as enforcing their display only via a trusted
channel.
Security is one area where it is impossible to make hard and fast rules.
For some sites (such as CERN) and entirely open network connectivity is
essential. For others the only acceptable policy is to have an airgap
(not a firewall, ie a separate network) and for the only communication
between the networks to be FROM the secure area TO the internet. I think
they shred the floppies afterwards just to make sure.
The book by Cheswick and Brown "Firewalls and Internet Security" (Addison
Wesley) is a very good place to find info on this sort of stuff.
Phill Hallam-Baker
