Re: [fw-wiz] Firewall Primitives

From: George Capehart (capegeo@opengroup.org)
Date: 11/04/02


From: George Capehart <capegeo@opengroup.org>
To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Mon Nov  4 20:51:01 2002


"Marcus J. Ranum" wrote:
>
> David Lang wrote:
> >this is only close to complete if you define a firewall as a packet filter
> >of some sort.
>
> Excellent point. I submit for your consideration the observation
> that firewall primitives should _all_ be connection-oriented. For
> services that are not inherently connection-based, an effective
> firewall should simulate connections to the best of its ability.
>
> >even if you tried to extend the type to include things like HTTP/FTP/etc
> >you still will need other parameters to configure the proxies.
>
> I also suggest you consider firewall primitives should include
> content searching - either on originated or returned content,
> as well as vectoring to a VPN or trusted interface. Possibly
> also include primitives for redirecting traffic and possibly
> simulating a session start, so the firewall can interact
> effectively with things like honeyd.

This is interesting. So, a firewall really should/could/might be a
multi-layer, multi-protocol switch . . .



Relevant Pages

  • Re: [fw-wiz] Firewall Primitives
    ... >of some sort. ... that firewall primitives should _all_ be connection-oriented. ... firewall should simulate connections to the best of its ability. ... I also suggest you consider firewall primitives should include ...
    (Firewall-Wizards)
  • Re: software/hardware Firewall tradeoff
    ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
    (comp.security.firewalls)
  • Re: Firewall etc
    ... I look at the log on a FW or personal packet filter to view unsolicited inbound packets that have been blocked and outbound packets being send out due to a solicitation or no solicitation. ... company's firewall offers me better protection and an opportunity to ... I can do the same thing with the Vista packet filter, that is, to create filtering rules for inbound or outbound packets, based on port, protocol, IP or subnet. ... so they can benefit from the higher forms of protections these ...
    (microsoft.public.windows.vista.security)
  • Re: software/hardware Firewall tradeoff
    ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
    (comp.security.firewalls)
  • Re: software/hardware Firewall tradeoff
    ... just there are two options (Firewall: ... The NAT router for home usage is not a FW either. ... Many NAT home routers have a packet filter function, ... If the other program needs ports open on the router, ...
    (comp.security.firewalls)