Re: Dark Reading: Firewalls Ready for Evolutionary Shift

[Frank Knobbe <frank () knobbe us>]

On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> [...] In pure CS terms,
> "doing layer 7 stuff" comes pretty close to rocket science. Read
> Varghese, and remember that without actual algorithms, you crash into
> the speed of SRAM. Even on a fancy multicore whizz-bang NPU.

Besides the question of how hard/accurate it is to perform
protocol-application-correlation, one also has to consider the impact on
the average administrator.

If we start seeing firewalls where your rule set reads like:

allow $internal_net Mozilla $external_net port_80
deny $internal_net InternetExplorer $external_net port_80
allow $internal_net gnome-meeting $external_net port_any
...etc...

...then I would consider it breaking new ground. If the end-user of
firewalls can create their policies based on application rather than
just IP-Port pairs, then it's a shift from current network firewalls.

And yes, I'm aware that we've been able to permit/deny *specific
applications* access to the Internet since at least the mid-nineties
(that's when I worked *cough*last*cough* with MS Proxy server and custom
Winsock proxy assignments for applications). I'm sure there are probably
other proxy-based firewalls that have similar capabilities.

But the article seems to refer to non-proxy, inline firewalls/IPS
doodads. For those, application recognition may be ground breaking news.
If the market will accept them remains to be seen. (CxO: My
mobile-tunnlier-gadget can get to the Internet. Make it work! :)

Cheers,
Frank




-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards