RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good

• Previous message: Eric Appelboom: "[fw-wiz] MAC blocking"
• Maybe in reply to: Ravdal, Stig: "[fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Ravdal, Stig" <SRavdal@Quiznos.com>, "Patrick M. Hausen" <hausen@punkt.de>
Date: Mon, 28 Nov 2005 15:26:01 -0500

Ravdal, Stig wrote:
>Firewalls are certainly evolving beyond ports and addresses and we see
>more and more specialized firewalls (e.g. XML firewall) that can do
>application inspection.

Minor nitpick regarding history:
        Firewalls started out as devices that handled traffic mostly at Layer 7
with awareness of the lower layers where it was useful or necessary (i.e.: knowing
what interface a packet came in on is very useful). There was a period of time
between 1994 and 2000 in which firewalls devolved into being little more than
a packet header parser with a TCP SYN tracker and interface tagger - this was
largely a result of implementation detail flaws in the first generation Layer 7
firewalls (namely, they were perceived as too slow and in some cases it
was a correct perception). So then we had years of these almost-firewalls
and now customers are realizing that the interesting security problems are
almost all at Layer 7(*) and thanks to packet-grepping ASICs you can now
have a bit of Layer 7 processing thrown into your firewall at almost no
performance cost (**)

        ...and the wheel comes full circle again.

        But don't get super excited when the marketing weenies tell you
it's a whole new idea, OK? It isn't. It's just a really good old idea. Computer
security is 99% really good old ideas that keep resurfacing whenever the
reality of the "gee whizzbang" you bought last year sets in.

mjr.
(* "duh")
(** look at the data rates experienced by some of the "deep packet
inspection firewalls" when you turn on L7 filtering for URLs, etc, and
you'll maybe learn something interesting)

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Eric Appelboom: "[fw-wiz] MAC blocking"
• Maybe in reply to: Ravdal, Stig: "[fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Defense in Depth ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ... (Security-Basics) Re: Firewalls: whats the use? ... We are thinking obviously of different firewalls here. ... machine network and an untrusted network. ... they are a separate tool that can be used to control what people ... have access to based on a SEPARATE OSI Layer. ... (comp.os.linux.security) Re: Layer 7 firewall Vs Stateful packet inspection firewall ... CheckPoint provides ... or 4th (TCP/IP) layer depending upon the model we're referring to. ... >> For simplistic discussion there are two primary types of firewalls. ... (comp.security.firewalls) RE: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name ... Things that are really signature ... policy based firewalls not being capable of providing the sorts of security ... As with other aspects of security; Defense In Depth should be a cardinal ... Yes I know that this is the Application Layer gateway model, ... (Firewall-Wizards) Re: What are the best tools to prevent, eliminate worms, virus, web attracks from a network ... Worms, virii, and web attacks can all get ... Because they are Layer 7 type attacks. ... While yes, some firewalls ... Trent wrote: ... (comp.security.firewalls)