On Thu, 2004-01-08 at 18:08, Michael D. (Mick) Bauer wrote:
If I skip the the file matcher (at this point I'm not worried about content filtering), am I right in thinking that plain old HttpProxy still leverages significant intelligence against my connections? What sort of attacks does it defend against? (Cross-site scripting? Really-long URL (GET) requests?)
Zorp forces strictly the correct usage of the given protocol, which means RFC compliant usage of commands (reqests and responses), correct orders and attributes (lengths, character sets etc). I think developers can give us more details. So if an exploit, a worm or a valid utility;-) keeps the RFC it will get through the proxy. Fortunately majority of the worms, attacks and other bad things do not comply with the protocol (like code red or nimda). If something complies with the protocol it is an nIDS, content vectoring or virus detection issue, not a protocol proxy's task! Zorp's architecture has many layers, but two main layer is the proxy itself, which is writen in C (it is a "stupid" protocol parser) and the python layer, which gives a very powerfull tool to implement your policy and an administrator can create the narrowest channel between the zones. If you see the package zorp modules (binaries) are in /usr/lib/zorp/ and python codes are in /usr/share/zorp/pylib/Zorp/*.py. All .py file begins with a long documentation, which describes how the given proxy works and what kind of attriutes it has. These attributes' defaults has been set to the possible strictest state. It is strong enough to block many attacks. In addition all the proxies can parse the protocol and it is transmitted to the python layer. From the policy you can accept, reject or even change the the given request or response. For example in a Http proxy you can change the user agent to hide your internal architecture (MUAs, browsers, etc): class MyHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request_headers["User-Agent"] = [HTTP_CHANGE_VALUE, "Lynx 2.4.1"] There are alvays an AbstractProxy, which contains the basic settings of the proxy (many of the protocol commands are handled here - please see, but don't be afraid;-) and there are many predefined proxy sets derived from Abstractproxy, which are the most common used proxy sets. ftp is a good example: class FtpProxy(AbstractFtpProxy): class FtpProxyAnonRO(AbstractFtpProxy): class FtpProxyRO(AbstractFtpProxy): class FtpProxyAnonRW(AbstractFtpProxy): class FtpProxyRW(AbstractFtpProxy): class FtpProxyMinimal(FtpProxyRO): If you want to change something, it is enough to derive an own proxy from the most suitable predefined, and change your needs. bye, Péter -- HÖLTZL Péter BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 796B C9D3 E492 B006 C8B2 http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4D1F 5320 28E3 9A1B 3FC6