RE: [fw-wiz] Firewalls Compared

From: Eugene Kuznetsov (eugene_at_datapower.com)
Date: 06/29/04

  • Next message: Anton Alin-Adrian: "Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding" 
    To: "'Marcus J. Ranum'" <mjr@ranum.com>, <ark@eltex.net>, "'Laura Taylor'" <ltaylor@relevanttechnologies.com>
Date: Mon, 28 Jun 2004 19:08:42 -0400

    > With the increasing focus on application layer attacks, the day
    > of packet-filters even being termed "firewalls" is pretty much over.
    > Packet filters were barely firewalls to begin with, but today, the
    > fight's mostly up in Layer 7 where they have no value.

    Hmm, I do not think that "firewall" is the right term for devices that
    operate at layer 7 or "layer 8". Not on grounds of technical correctness,
    but of common usage. If a big challenge for making a more secure world is
    information and education about threats and best practices, the term
    "firewall" does more harm than good. One man's application firewall is
    another woman's application proxy and someone else's packet filter.

    In my experience, what most normal people mean by "firewall" is a box that
    does not do any TCP termination or deep inspection, but instead simply
    allows and disallows connections at certain IP ports. That box may be
    capable of doing more, but usually that capability is not being used.

    \\ Eugene Kuznetsov, Chairman & CTO : eugene@datapower.com
    \\ DataPower Technology, Inc. : Web Services security
    \\ http://www.datapower.com : XML-aware networks

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Anton Alin-Adrian: "Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding"

    Relevant Pages

    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.network_web)
    • Re: can sasser& Blaster get to the computer?
      ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
      (microsoft.public.windowsxp.general)
    • Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet
      ... Among other things, there are race conditions such that the lookup could return one pcb in the input path and use that for the check, but another pcb during TCP-layer delivery. ... One idea that I'd been pondering was having the inpcb code in the TCP/UDP/SCTP/etc layers invoke event handlers as bindings/connections are made, making credentials and other information available to firewall packages, which could then cache information under their own locks. ... In Mac OS X Leopard, many of the traditional "firewall" sorts of checks are now performed at the socket layer using this sort of approach -- this provides greater application context, allows control of things like binding/listening, not just packet transmission and receipt, and provides access to the data as received at the application layer rather than at the datagram layer, avoiding the need for normalization. ...
      (freebsd-current)
    • Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet
      ... Among other things, there are race conditions such that the lookup could return one pcb in the input path and use that for the check, but another pcb during TCP-layer delivery. ... One idea that I'd been pondering was having the inpcb code in the TCP/UDP/SCTP/etc layers invoke event handlers as bindings/connections are made, making credentials and other information available to firewall packages, which could then cache information under their own locks. ... In Mac OS X Leopard, many of the traditional "firewall" sorts of checks are now performed at the socket layer using this sort of approach -- this provides greater application context, allows control of things like binding/listening, not just packet transmission and receipt, and provides access to the data as received at the application layer rather than at the datagram layer, avoiding the need for normalization. ...
      (freebsd-net)