Re: Dark Reading: Firewalls Ready for Evolutionary Shift

[Darren Reed <darrenr () reed wattle id au>]

david () lang hm wrote:
> On Wed, 5 Dec 2007, Frank Knobbe wrote:
>
>   
> > On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> >     
> > > [...] In pure CS terms,
> > > "doing layer 7 stuff" comes pretty close to rocket science. Read
> > > Varghese, and remember that without actual algorithms, you crash into
> > > the speed of SRAM. Even on a fancy multicore whizz-bang NPU.
> > >       
> > Besides the question of how hard/accurate it is to perform
> > protocol-application-correlation, one also has to consider the impact on
> > the average administrator.
> >
> > If we start seeing firewalls where your rule set reads like:
> >
> > allow $internal_net Mozilla $external_net port_80
> > deny $internal_net InternetExplorer $external_net port_80
> > allow $internal_net gnome-meeting $external_net port_any
> > ...etc...
> >
> > ...then I would consider it breaking new ground. If the end-user of
> > firewalls can create their policies based on application rather than
> > just IP-Port pairs, then it's a shift from current network firewalls.
> >     
>
> I'm not sure you really want to try and tell the difference between 
> Mozilla, Firefox, Internet Explorer, Opera, Lynx, etc on the firewall 
> (especially since some of these can be configured to lie and claim that 
> they are others to work around broken websites)
>
> what you need to be able to do is to enforce valid HTTP, and work to 
> detect the common ways of tunneling other things across it.
>   

That and control the content that gets sent back to the client.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards