Re: [fw-wiz] Firewalls that generate new packets..

Marcus J. Ranum wrote:

Jim Seymour wrote:


What
you're telling me is just skip the firewall entirely, and put together
a comprehensive set of "firewall router" packet filtering rules.



That's not what I'm saying. I'm saying is that the action is all
at layer-7 these days. Use a router (or 2 tin cans and some string)
to apply broad, simple, controls at the network layer and make
sure you are directing traffic to locked down layer-7 services
on machines that you think can handle them.

Firewalls have always consisted (in my mind, anyhow..) of
"block and carry" - think of the basic stuff the firewall does
as blocking big chunks of traffic so that your layer-7 picture
is refined to the point where you can effectively reason
about it. In that model a proxy is just a "carry" tool for
layer-7 traffic - and you can then reason about the security
controls (if you're using more than just a plug-board
proxy, which is axiomatically the same as a router
permit port ACL) in the proxy.



Before getting too carried away that all "layer 7" firewalls
are the ultimate, how many of them are "layer 7" and how
many of them are "layer 5"?

If I can run IPoverDNS through your "layer 7 firewall", is it
really being a "layer 7 firewall" or a "layer 5 firewall"?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: XP vulnerabilities?
    ... >> Get a DSL router with NAT and then use ONE firewall application. ... The personal firewall will block outbound. ... whole issue of "stealth" became less important on January 25, ... Each layer is necessary because no layer produces ...
    (alt.computer.security)
  • Re: Just venting (totally OT)
    ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... not visiting dodgy Websites. ... The protection that it does supply is also provided by ...
    (uk.people.support.depression)
  • Re: Just venting (totally OT)
    ... how long it plays for because it's all been ripped on to hard disc ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... The protection that it does supply is also provided by ...
    (uk.people.support.depression)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)