Firewall Wizards mailing list archives
Re: Dark Reading: Firewalls Ready for Evolutionary Shift
From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 08 Dec 2007 09:38:35 +1100
david () lang hm wrote:
On Wed, 5 Dec 2007, Frank Knobbe wrote:On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:[...] In pure CS terms, "doing layer 7 stuff" comes pretty close to rocket science. Read Varghese, and remember that without actual algorithms, you crash into the speed of SRAM. Even on a fancy multicore whizz-bang NPU.Besides the question of how hard/accurate it is to perform protocol-application-correlation, one also has to consider the impact on the average administrator. If we start seeing firewalls where your rule set reads like: allow $internal_net Mozilla $external_net port_80 deny $internal_net InternetExplorer $external_net port_80 allow $internal_net gnome-meeting $external_net port_any ...etc... ...then I would consider it breaking new ground. If the end-user of firewalls can create their policies based on application rather than just IP-Port pairs, then it's a shift from current network firewalls.I'm not sure you really want to try and tell the difference between Mozilla, Firefox, Internet Explorer, Opera, Lynx, etc on the firewall (especially since some of these can be configured to lie and claim that they are others to work around broken websites) what you need to be able to do is to enforce valid HTTP, and work to detect the common ways of tunneling other things across it.
That and control the content that gets sent back to the client. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 01)
- <Possible follow-ups>
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Jim Seymour (Dec 01)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Thomas Ptacek (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Marcus J. Ranum (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Frank Knobbe (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift david (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Dave Piscitello (Dec 10)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 11)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Darren Reed (Dec 10)