Stronghold of security

SOCKS v5 promises enhanced security, but not everyone agrees VPNs require its protection

By Joe Paone

The bastion protecting corporate LANs and the data on them seems to rise forever skywards.

Hence, welcome a new champion to the fortifications of firewalls, VPN tunnels, authentication servers, and encryption algorithms protecting your network: Secure Sockets (SOCKS) version 5.

The IETF protocol promises to bring a number of security and access-control improvements to the boundaries of corporate networks, including session-layer security, user-based policy management, standards-based security for multimedia applications, enhanced authentication, and increased interoperability among compliant products, according to its proponents.

SOCKS v5 could allow network managers to mix and match firewalls, caches, and proxy servers wherever appropriate to more effectively regulate which users have access to particular applications, both over the Internet and across intranets and extranets.

Not everyone is convinced, however, that networks need SOCKS' promise of industrial-strength security. Software developers and analysts both contend that existing functions in border control products such as firewalls&emdashin conjunction with the reigning VPN standard, the IETF's IPsec protocol&emdashcan provide similar function today, obviating the need for an additional security standard on top of IPsec.

Low profile
Although it has attracted the interest of industry leaders such as Cisco Systems, NEC Systems Laboratory Inc., and others, SOCKS v5 has maintained a remarkably low profile.

Its predecessor, SOCKS v4, is a generic proxying mechanism that allows applications to traverse firewalls. SOCKS v4 has also been used as an alternative to commercial firewalls.

SOCKS v5, as described in the IETF's RFC 1928, builds on version 4 by adding support for authentication, user-based policy management, and multimedia UDP applications such as Microsoft's NetMeeting and RealNetworks Inc.'s RealAudio and Real-Video.

Aventail Corp.'s support for SOCKS v5 lets its Auto-SOCKs VPN software act as a proxy for UDP connections and supports DNS, providing what the company claims to be a superior VPN solution to IPsec-based products.

But products such as AutoSOCKS have led to the image of SOCKS v5 as little more than a fringe VPN alternative to IPsec and PPTP. This is a mispositioning of the protocol, according to industry watchers who say that SOCKS v5 is more of an underlying development technology than a distinct product offering.

"SOCKS is not in the forefront of buyers' minds," says Abner Germanow, research analyst at International Data Corp. in Framingham, Mass.

"SOCKS will be embraced by software and hardware vendors as a way of solving problems that they have today," he says. "It's not a product offering, It's something other products will use to get their jobs done."

Rather than simply being implemented in standalone software packages, SOCKS v5 will be part of the plumbing of border-control products such as firewalls, caches, VPN devices, and other network appliances, according to Saqib Jang, director of marketing for the SOCKS program at NEC in San Jose.

This will let vendors offer more policy-management functionality in a standard, interoperable way, he says.

"These border-control devices need to support a higher level of intelligence as far as policy management is concerned," says Jang. "There needs to be policies and terms for both users and applications in order to allow or deny access to a particular user to a particular application."

For example, with SOCK v5 managers can prevent a particular end user from using HTTP.

By comparison, most firewalls can only regulate applications, although many have developed proprietary methods for regulating access to specific users. SOCKS v5 provides a standard way to do this, but the fact that the proprietary approaches exist in the market-leading firewalls make their adoption of SOCKS less likely in the near future. SOCKS' generic proxying would eliminate the need to develop proxies for new applications, and its UDP support allows easy regulation of emerging multimedia applications that don't use TCP.

"SOCKS v5 is an open-standard platform that enables vendors to offer value-added management functions in their products," Jang says.

Perhaps the most prominent implementation of SOCKS v5 to date is IBM's eNetwork Firewall. IBM says SOCKS enables the firewall to secure UDP applications such as RealAudio and RealVideo, provide real-time performance statistics by both application and user ID, and support outbound authentication.

But the market-leading firewalls&emdashsuch as those available from Check Point, Axent Technologies Inc., and Network Associates Inc.&emdashdo not support SOCKS v5 and likely won't in the near future. This is because they have already developed similar functionality on their own. These vendors have also made a strong commitment to IPsec and there is much overlap between SOCKS and IPsec in terms of function. For example, both protocols support authentication.

"Underwhelmed"
This overlap between SOCKS and other security protocols has left analysts and developers a bit bewildered about the relevance of SOCKS.

"I'm having a little trouble seeing where SOCKS fits into the picture," says Jeff Wilson, director of access programs with Infonetics Research Inc. in San Jose. "In the VPN world, SOCKS is taking a back seat to IPsec and PPTP. It's not something that many people see as necessary."

Bob Antia, chief security architect at Cohesive Network Systems Inc., a Palo Alto, Calif.-based systems integrator that develops custom IPsec software, has no plans to include SOCKS v5 in his VPN projects.

"I am underwhelmed by the whole concept. It just seems to be wedging authentication into SOCKS between the application and session layers," Antia says. "As a purist, I would say that a wedge [like that] violates the protocol."

Leading security vendors are also critical of SOCKS. "We have no plans for SOCKS support," says Ray Suarez, product manager for Axent in Waltham, Mass.

"The SOCKS server is fundamentally insecure," he says. "It does not do content scanning on the packets it transmits. It is a general-purpose protocol, so any application can send any data without control."

Moreover, Suarez says, if network managers want SOCKS support, they can get a SOCKS server and place it behind the company's firewall.

"Axent can provide a generic UDP proxy for the firewall and pass that traffic to the SOCKS server," he says.

But Jang at NEC worries about having various devices, some of which support SOCKS and others of which do not, on the same network. Such an array of devices will be able to interoperate at the base communication level, but unified policy management&emdashthe key aspect of SOCKS&emdashwill not be realized, he says.

Antia at Cohesive Network contends that such unified, user-based policy management may sound great on the surface, but it is not nearly as simple to deal with in practice.

"It allows very granular policies, but the problem with granular policies is that it is very expensive to upkeep them," he says. "From the operations side, this would not be a benefit. The overhead implications of managing things at that level are overwhelming."

The IETF is already working on the next version of SOCKS, which will define mechanisms for mediating the overlap between the SOCKS and IPsec protocols. The new version will also include IP multicast security support. The new protocol will likely not be completed until sometime later next year.

The development of the new version, as well as the implementation of the protocol by emerging appliance vendors, may finally convince the mainstream network security players to implement SOCKS.

"A lot of these vendors are suffering from a lack of awareness of where SOCKS is at," says Jang at NEC.

"Over time, as many [SOCKS-compliant] appliances are deployed, maybe it will motivate the existing players to support SOCKS too," he says.

Virtual Private Networks
Home
High Speed
Internetworkings
Extranet
Tech. Specs