Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/31/2006
04:15 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

App Proxies: No Reviving the Dream

Application proxies stir up fond memories of more enterprise control, but chances of resurgence are slim

What ever happened to the application proxy?

The shortcomings of today's security products have some security experts feeling a little nostalgic for the proxy, which enforces app protocol-specific traffic -- think HTTP, FTP, XML, AIM, Skype -- and can log user activity.

Conceptually, proxies are attractive because they don't come with the baggage of false positives, says Nate Lawson, engineering director for Cryptography Research. "The decision to support various features of a protocol is made when the proxy is written. If a feature is not supported, it just won't work through the proxy," he says, whereas an IDS/IPS has to make decisions about features it has never seen before, or may or may not be supported.

With the exception of HTTP/Web firewall proxies, application-level proxy technology never really took off, due to performance issues and the difficulty of creating proxies for various apps.

"Proxy firewalls aren't popular today because there has always been a perceived, and once real, performance hit. And proxies for new services -- [such as] AIM and Skype -- take a long time to appear, if ever," Lawson says. "That leaves companies in the unenviable position of having to write their own proxy, which is critical code that could shut down a service if it crashes."

True application proxies would allow or disallow traffic for, say, a PeopleSoft app, says John Pescatore, a vice president with Gartner. But proxies today are mostly protocol proxies in firewalls and mainly deal with HTTP and Web apps, he says.

Lawson says the only hope for resuscitating application proxy technology -- albeit a long shot -- is for app developers to provide machine-readable specifications on their apps, so there would be no need to write new proxies because every application would come with its own proxy definition.

A machine-readable protocol description would ultimately let enterprises control access. "But I'm not sure what is in it for the vendor. Many want to keep their protocols proprietary, and opening them up so people can control access to their services only hurts them," says Dave Goldsmith, president of Matasano Security.

Gartner sees proxies for very specific content-inspection situations, Pescatore says, where it sees a certain type of content going in or out and stops it, for example.

But proxies have the same problem with unknown vulnerabilities that IDS/IPSes do, Pescatore says. "When a new vulnerability comes out, you may have to rewrite the proxy," he says. "You can't put in proxy rules that can anticipate unknown" things, he says.

Application proxies could help enterprises filter their networks and drive risk management policy, but there's no chance they'll stage a comeback, says Thomas Ptacek, a researcher with Matasano Security. That's because most app vendors don't have the security know-how to develop them, he says, nor do users to deploy the necessary security for them. "It's been hard enough for us to get users to enable passwords on applications or turn on SSL. They will not see the value in this system."

But it's nice to dream sometimes, Ptacek says. "Security people come up with this idea from time to time because we all fantasize about the day when the inline appliance we build exerts complete control over everyone's application, so we don't have to get permission from vendors and end-users to fix glaring vulnerabilities."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Cryptography Research
  • Gartner Inc.
  • Matasano Security LLC Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11494
    PUBLISHED: 2020-04-02
    An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
    CVE-2020-7619
    PUBLISHED: 2020-04-02
    get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
    CVE-2020-7620
    PUBLISHED: 2020-04-02
    pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
    CVE-2020-7621
    PUBLISHED: 2020-04-02
    strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
    CVE-2020-7623
    PUBLISHED: 2020-04-02
    jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.