hi, everybody: Recently, I use TIS(http://www.tis.com/research/software/) as http,ftp,telnet proxy. I integrated TIS with ipchains, squid,FreeS/WAN packages in Red Hat Linux. But it seem to become the system performance bottleneck. May I ask that zorp is a good replacement for TIS in performance and capability ? Thanks.
On Tue, Feb 13, 2001 at 05:20:59PM +0800, luke wrote:
hi, everybody: Recently, I use TIS(http://www.tis.com/research/software/) as http,ftp,telnet proxy. I integrated TIS with ipchains, squid,FreeS/WAN packages in Red Hat Linux. But it seem to become the system performance bottleneck. May I ask that zorp is a good replacement for TIS in performance and capability ?
You ask two different questions, let me answer them in order: 1) capabilities Zorp is a modular firewall, which means that its architecture allows each proxy to use another proxy to analyze a subprotocol embedded in the main protocol stream. Think of POP3 or IMAP embedded in SSL. An upper level proxy (SSL in our case) decrypts traffic as it passes the firewall, and runs an embedded POP3 proxy to make sure that nothing else but POP3 is allowed on the encrypted channel. Another example would be a content verifier proxy, which gets a raw file with some meta information (like filename, mime type etc.) and after verifying its contents (with virus scanners, prohibited words etc) and plugs into a HTTP or FTP proxy. Apart from the modularity, Zorp is also event driven. You can react on events the protocol proxy raises, and tell the proxy what to do. For example you only want to allow anonymous only FTP traffic, you override the USER event the FTP proxy generates, check that the username is acceptable (anonymous or ftp) and return the result of your check, the proxy will behave accordingly. The language you write these checks is Python, that's why Python is required for Zorp. (the proxies themselves are written in C) Currently we have application level gateways for the following protocols: Free version: ------------- HTTP/1.1 (keep-alive and chunked encoding fully supported) FTP finger SSL plug Commercial version: ------------------- Enhanced SSL POP3 This list is continously growing. The free version is available under the GPL, the commercial version is available under a binary only license. Our proxies were written in security in mind, we analyze each part of the protocol as deeply as possible. An FTP proxy would work with processing only the PORT and PASV commands, our FTP proxy strictly checks the allowable return codes for each command. Our finger proxy checks the username to contain only alphanumeric characters. We integrate ipchains nicely into Zorp, we are able to add/remove rules from the packet filter on the fly (enabling a service on Zorp, adds the corresponging filter rule), this is achieved by directly calling system calls, not by calling the ipchains program externally. 2) stability you didn't ask about stability, but if you are planning to replace an existing system, you really WANT stability. Zorp is used at quite a number of places, and both our stable branch (0.6.x) and the latest releases of the development branch seems to be stable. The development branch is under feature freeze now, 0.8 will be released real soon now. 3) performance It was a while ago when we tested Zorp performance. Using plug I could achieve about 17Mbytes/sec on a Celeron450 workstation with IDE disks and 128MB RAM. The test was to copy a large amounts of data (100Mbytes as I remember) from /dev/zero into /dev/null through Zorp on a single computer. So the load of the client, proxy and server was placed on a single computer, this theoretically means that Zorp could do about 50Mbytes/sec throughput (assuming that the client and the server runs elsewhere). We are running Zorp with 100 concurrent sessions without problems. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Feb 13, 2001 at 11:25:58AM +0100, Balazs Scheidler wrote:
Free version: ------------- HTTP/1.1 (keep-alive and chunked encoding fully supported) FTP finger SSL plug
Commercial version: ------------------- Enhanced SSL POP3
What abount telnet? Any plans for trying to do ssh? ALso, what about authentication? We use T.Rex right now since it uses Radius as one of it's authentication methods, and that gives us One Time Passwords with our Radius/CryptoCard server. We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one. Tim -- Tim Sailer <sailer@bnl.gov> Cyber Security Operations Brookhaven National Laboratory (631) 344-3001
On Tue, Feb 13, 2001 at 07:24:26AM -0500, Tim Sailer wrote:
On Tue, Feb 13, 2001 at 11:25:58AM +0100, Balazs Scheidler wrote:
Free version: ------------- HTTP/1.1 (keep-alive and chunked encoding fully supported) FTP finger SSL plug
Commercial version: ------------------- Enhanced SSL POP3
What abount telnet? Any plans for trying to do ssh?
telnet is under consideration. It was not a primary objective, since there's not too much you can do with the telnet protocol (except for option negotiation and environment variable filtering), a simple plug would suffice. Telnet is inherently insecure, it shouldn't be used in security conscious environments, a proxy wouldn't change this. SSH is also planned. Personally I have already implemented a working SSH2 proxy (in the LSH project), but Zorp will probably use an independent implementation.
ALso, what about authentication? We use T.Rex right now since it uses Radius as one of it's authentication methods, and that gives us One Time Passwords with our Radius/CryptoCard server.
We have our own authentication system, currently supporting S/Key and CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we are redesigning some parts.
We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one.
What do you mean on that? Authenticate your users for going through the firewall? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Feb 13, 2001 at 01:44:24PM +0100, Balazs Scheidler wrote:
telnet is under consideration. It was not a primary objective, since there's not too much you can do with the telnet protocol (except for option negotiation and environment variable filtering), a simple plug would suffice. Telnet is inherently insecure, it shouldn't be used in security conscious environments, a proxy wouldn't change this.
We are looking for authenticated sessions, where there is no other choice. We have a LOT of legacy systems (PDPs and Vaxes) that can only talk the legacy protocols.
SSH is also planned. Personally I have already implemented a working SSH2 proxy (in the LSH project), but Zorp will probably use an independent implementation.
OK. I'd be interested is seeing this.
ALso, what about authentication? We use T.Rex right now since it uses Radius as one of it's authentication methods, and that gives us One Time Passwords with our Radius/CryptoCard server.
We have our own authentication system, currently supporting S/Key and CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we are redesigning some parts.
That's a problem with a lot of things that use CryptoCard. Everyone supports it in their own way. We have a full enterprise rolled out with cryptocards, and for us to have to maintain 2 separate sets of account info would be hard. We use Radius backended by the cryptoadmin server, and that gives us a common OTP for all our services, including logging in to hosts, since there is a pam_radius_auth module.
We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one.
What do you mean on that? Authenticate your users for going through the firewall?
Yes. And, if they have a valid ticket already, let them pass through without any more authentication. Tim -- Tim Sailer <sailer@bnl.gov> Cyber Security Operations Brookhaven National Laboratory (631) 344-3001
On Tue, Feb 13, 2001 at 08:15:02AM -0500, Tim Sailer wrote:
On Tue, Feb 13, 2001 at 01:44:24PM +0100, Balazs Scheidler wrote:
telnet is under consideration. It was not a primary objective, since there's not too much you can do with the telnet protocol (except for option negotiation and environment variable filtering), a simple plug would suffice. Telnet is inherently insecure, it shouldn't be used in security conscious environments, a proxy wouldn't change this.
We are looking for authenticated sessions, where there is no other choice. We have a LOT of legacy systems (PDPs and Vaxes) that can only talk the legacy protocols.
Yes, that's why we are considering telnet.
SSH is also planned. Personally I have already implemented a working SSH2 proxy (in the LSH project), but Zorp will probably use an independent implementation.
OK. I'd be interested is seeing this.
ok.
ALso, what about authentication? We use T.Rex right now since it uses Radius as one of it's authentication methods, and that gives us One Time Passwords with our Radius/CryptoCard server.
We have our own authentication system, currently supporting S/Key and CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we are redesigning some parts.
That's a problem with a lot of things that use CryptoCard. Everyone supports it in their own way. We have a full enterprise rolled out with cryptocards, and for us to have to maintain 2 separate sets of account info would be hard. We use Radius backended by the cryptoadmin server, and that gives us a common OTP for all our services, including logging in to hosts, since there is a pam_radius_auth module.
Our system isn't necessarily closed. It can use a radius server as a backend.
We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one.
What do you mean on that? Authenticate your users for going through the firewall?
Yes. And, if they have a valid ticket already, let them pass through without any more authentication.
We'll think about it. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, Feb 13, 2001 at 02:21:52PM +0100, Balazs Scheidler wrote:
Yes, that's why we are considering telnet.
Great! Please let me know if you implement this.
We have our own authentication system, currently supporting S/Key and CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we are redesigning some parts.
That's a problem with a lot of things that use CryptoCard. Everyone supports it in their own way. We have a full enterprise rolled out with cryptocards, and for us to have to maintain 2 separate sets of account info would be hard. We use Radius backended by the cryptoadmin server, and that gives us a common OTP for all our services, including logging in to hosts, since there is a pam_radius_auth module.
Our system isn't necessarily closed. It can use a radius server as a backend.
Hmm, OK. I didn't see this when I looked at the application. I'll go back again.
We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one.
What do you mean on that? Authenticate your users for going through the firewall?
Yes. And, if they have a valid ticket already, let them pass through without any more authentication.
We'll think about it.
Thanks. This would solve most of our problems, along with the ssh and telnet, since we have the krb5 server using OPT authentication. This would give us single-signon with strong authentication. Tim -- Tim Sailer <sailer@bnl.gov> Cyber Security Operations Brookhaven National Laboratory (631) 344-3001
participants (3)
-
Balazs Scheidler
-
luke
-
Tim Sailer