Firewall Wizards mailing list archives
Re: Dark Reading: Firewalls Ready for Evolutionary Shift
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 05 Dec 2007 22:04:12 -0600
On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
[...] In pure CS terms, "doing layer 7 stuff" comes pretty close to rocket science. Read Varghese, and remember that without actual algorithms, you crash into the speed of SRAM. Even on a fancy multicore whizz-bang NPU.
Besides the question of how hard/accurate it is to perform protocol-application-correlation, one also has to consider the impact on the average administrator. If we start seeing firewalls where your rule set reads like: allow $internal_net Mozilla $external_net port_80 deny $internal_net InternetExplorer $external_net port_80 allow $internal_net gnome-meeting $external_net port_any ...etc... ...then I would consider it breaking new ground. If the end-user of firewalls can create their policies based on application rather than just IP-Port pairs, then it's a shift from current network firewalls. And yes, I'm aware that we've been able to permit/deny *specific applications* access to the Internet since at least the mid-nineties (that's when I worked *cough*last*cough* with MS Proxy server and custom Winsock proxy assignments for applications). I'm sure there are probably other proxy-based firewalls that have similar capabilities. But the article seems to refer to non-proxy, inline firewalls/IPS doodads. For those, application recognition may be ground breaking news. If the market will accept them remains to be seen. (CxO: My mobile-tunnlier-gadget can get to the Internet. Make it work! :) Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 01)
- <Possible follow-ups>
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Jim Seymour (Dec 01)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Thomas Ptacek (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Marcus J. Ranum (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Frank Knobbe (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift david (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Dave Piscitello (Dec 10)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 11)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Darren Reed (Dec 10)