Circuit Level Gateway & Filtering!?

Circuit Level Gateway & Filtering!?

[__ Radien__]

Dear All 

   I have read some about ISA server from it's documentation. There were
listed some facilities for example Circuit Level and App Level
filtering and gateway.

   Circuit level filtering and gateway were strange for me. What are
they?
   How can I see such capabilities in iptables? How they get mapped in
iptables?

   Is iptables sth other than what ip_conntrack_ftp.o mudule do in
Application Layer?

Regards
__Radien__

libipq

[Devaraj Das]

Hi all,
If I have an application (using libipq) that's waiting for packets, and I
want to inspect the payload, will the payload be encrypted in case I use
esp/transport with kernel 2.6 (with built-in ipsec)?
Thanks,
Devaraj.

__ Radien__ wrote:

> Dear All
>
>    I have read some about ISA server from it's documentation. There were
> listed some facilities for example Circuit Level and App Level
> filtering and gateway.
>
>    Circuit level filtering and gateway were strange for me. What are
> they?
>    How can I see such capabilities in iptables? How they get mapped in
> iptables?
>
>    Is iptables sth other than what ip_conntrack_ftp.o mudule do in
> Application Layer?
>
> Regards
> __Radien__

Re: libipq

[Antony Stone]

On Thursday 08 April 2004 9:32 am, Devaraj Das wrote:

> Hi all,
> If I have an application (using libipq) that's waiting for packets, and I
> want to inspect the payload, will the payload be encrypted in case I use
> esp/transport with kernel 2.6 (with built-in ipsec)?

This depends on which packets you inspect the payload of.

If you inspect the ESP packets, then yes, they will be encrypted under IPsec.

If you inpect the HTTP/FTP/SMTP/whatever packets which come out of the tunnel 
on the other side, then no, they will not be encrypted (unless, of course, 
you send ssh or https through your IPsec tunnel).

PS: Please don't quote an irrelevant previous posting, and please start a new 
thread for a new question.

Regards,

Antony.

-- 
I'm pink, therefore I'm Spam.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Circuit Level Gateway & Filtering!?

[Antony Stone]

On Thursday 08 April 2004 8:28 am, __ Radien__ wrote:

> Dear All
>
>    I have read some about ISA server from it's documentation. There were
> listed some facilities for example Circuit Level and App Level
> filtering and gateway.
>
>    Circuit level filtering and gateway were strange for me. What are
> they?

These refer to the OSI 7-layer networking model: you have applications at the 
top (web, email, ftp, ssh), then underneath those you have things like TCP/IP 
to transfer packets around the Internet (without caring what sort of 
application data is inside those packets), and then underneath that you have 
ethernet cables and 802.11 connections etc actually getting the data from one 
machine to another.

(Yes, this is a huge simplification - look up any reference on OSI 7-layer 
model for more details, also compare against the TCP 4-layer model).

Circuit level filtering means packet filtering - what netfilter does - in 
other words you filter packets based on where they've come from and where 
they're going to (IP addresses), and on *assumptions* about what the TCP/UDP 
port numbers mean, rather than based on anything that's actually inside the 
body of the packets (data).

Application level filtering means proxies - software which can understand 
protocols like http, smtp, pop3, ftp, irc.... and look at the data and 
commands which are being transferred between machines, then base the 
filtering decisions on that (as well as IP addresses and hostnames).

Gateway simply refers to a machine which is in the path between your network 
and the outside world - can mean anything from a simple router with no 
filtering capabilities to a multi-protocol proxy server with intrusion 
detection.

>    How can I see such capabilities in iptables? How they get mapped in
> iptables?

Netfilter (iptables) is a stateful packet filter, and therefore operates at 
layers 3/4 of the OSI model - the network layers.   It does not meaningfully 
operate at layer 7 - the application layer.

>    Is iptables sth other than what ip_conntrack_ftp.o mudule do in
> Application Layer?

If you want realistic application layer filtering on a linux system you need 
proxy applications like sendmail/exim/apache/squid/frox.   Netfilter won't do 
it for you.

Hope this helps,

Antony.

-- 
Documentation is like sex.
When it's good, it's very very good.
When it's bad, it's still better than nothing.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Circuit Level Gateway & Filtering!?

[__ Radien__]

Thx Antony
But: 

>Circuit level filtering means packet filtering - what netfilter does - in 
>other words you filter packets based on where they've come from and where 
>they're going to (IP addresses), and on *assumptions* about what the TCP/UDP 
>port numbers mean, rather than based on anything that's actually inside the body of the packets (data).

  I read it's sth more than packet filtering, and it work on session
layer. Working on session layer is a little hard for me to underestand.
I'm looking for some example.

  I guess ESTABLISHED state option of iptables make it work on such
level, but I'm not sure.


>Application level filtering means proxies - software which can understand 
>protocols like http, smtp, pop3, ftp, irc.... and look at the data and 
>commands which are being transferred between machines, then base the 
>filtering decisions on that (as well as IP addresses and hostnames).


>Gateway simply refers to a machine which is in the path between your network 
>and the outside world - can mean anything from a simple router with no 
>filtering capabilities to a multi-protocol proxy server with intrusion detection.

Thx but, I meant "Circuit Level gateway" not a simple gateway I mean
IP(or network level).

>Netfilter (iptables) is a stateful packet filter, and therefore operates at 
>layers 3/4 of the OSI model - the network layers.   It does not meaningfully 
>operate at layer 7 - the application layer.

But I think matching RELATED state of ftp data connection means working
on layer 7.

>If you want realistic application layer filtering on a linux system you need 
>proxy applications like sendmail/exim/apache/squid/frox.   Netfilter won't do 
>it for you.

So u mean there's no such matching module or action in Netfilter.

P.S. Below is what I read about Circuit Level (Filtering and Gateway).
But they are alittle ambiguous!

Regards
__Radien__

http://www.pc-help.org/www.nwinternet.com/pchelp/lockdown/claims/firewalls.htm
http://csrc.nist.gov/publications/nistpubs/800-10/node53.html&e=7317
http://www.pcstats.com/articleview.cfm?articleid=1450&page=5
http://www.firewall-software.com/firewall_faqs/types_of_firewall.html