Re: [fw-wiz] Firewalls that generate new packets..

Marcus J. Ranum wrote:

Jim Seymour wrote:

you're telling me is just skip the firewall entirely, and put together
a comprehensive set of "firewall router" packet filtering rules.

That's not what I'm saying. I'm saying is that the action is all
at layer-7 these days. Use a router (or 2 tin cans and some string)
to apply broad, simple, controls at the network layer and make
sure you are directing traffic to locked down layer-7 services
on machines that you think can handle them.

Firewalls have always consisted (in my mind, anyhow..) of
"block and carry" - think of the basic stuff the firewall does
as blocking big chunks of traffic so that your layer-7 picture
is refined to the point where you can effectively reason
about it. In that model a proxy is just a "carry" tool for
layer-7 traffic - and you can then reason about the security
controls (if you're using more than just a plug-board
proxy, which is axiomatically the same as a router
permit port ACL) in the proxy.

Before getting too carried away that all "layer 7" firewalls
are the ultimate, how many of them are "layer 7" and how
many of them are "layer 5"?

If I can run IPoverDNS through your "layer 7 firewall", is it
really being a "layer 7 firewall" or a "layer 5 firewall"?


firewall-wizards mailing list