Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Darren Reed <Darren.Reed () Sun COM>
Date: Tue, 27 Nov 2007 21:23:22 -0800
Marcus J. Ranum wrote:
Jim Seymour wrote:What you're telling me is just skip the firewall entirely, and put together a comprehensive set of "firewall router" packet filtering rules.That's not what I'm saying. I'm saying is that the action is all at layer-7 these days. Use a router (or 2 tin cans and some string) to apply broad, simple, controls at the network layer and make sure you are directing traffic to locked down layer-7 services on machines that you think can handle them. Firewalls have always consisted (in my mind, anyhow..) of "block and carry" - think of the basic stuff the firewall does as blocking big chunks of traffic so that your layer-7 picture is refined to the point where you can effectively reason about it. In that model a proxy is just a "carry" tool for layer-7 traffic - and you can then reason about the security controls (if you're using more than just a plug-board proxy, which is axiomatically the same as a router permit port ACL) in the proxy.
Before getting too carried away that all "layer 7" firewalls are the ultimate, how many of them are "layer 7" and how many of them are "layer 5"? If I can run IPoverDNS through your "layer 7 firewall", is it really being a "layer 7 firewall" or a "layer 5 firewall"? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)