Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift



On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
[...] In pure CS terms,
"doing layer 7 stuff" comes pretty close to rocket science. Read
Varghese, and remember that without actual algorithms, you crash into
the speed of SRAM. Even on a fancy multicore whizz-bang NPU.

Besides the question of how hard/accurate it is to perform
protocol-application-correlation, one also has to consider the impact on
the average administrator.

If we start seeing firewalls where your rule set reads like:

allow $internal_net Mozilla $external_net port_80
deny $internal_net InternetExplorer $external_net port_80
allow $internal_net gnome-meeting $external_net port_any
...etc...

...then I would consider it breaking new ground. If the end-user of
firewalls can create their policies based on application rather than
just IP-Port pairs, then it's a shift from current network firewalls.

And yes, I'm aware that we've been able to permit/deny *specific
applications* access to the Internet since at least the mid-nineties
(that's when I worked *cough*last*cough* with MS Proxy server and custom
Winsock proxy assignments for applications). I'm sure there are probably
other proxy-based firewalls that have similar capabilities.

But the article seems to refer to non-proxy, inline firewalls/IPS
doodads. For those, application recognition may be ground breaking news.
If the market will accept them remains to be seen. (CxO: My
mobile-tunnlier-gadget can get to the Internet. Make it work! :)

Cheers,
Frank




--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Thoughts on MS Microsoft AntiSpyware beta
    ... Should I use both Internet Connection Firewall and a software firewall ... from a different company on my Windows XP computer? ... Running multiple software firewalls is unnecessary for typical home ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Network Connections x 2 PCs
    ... >>> protect it from access by hackers on the Internet. ... >>getting the (LOGON failure: the user has not been granted the requested ... on both PCs we created User Accounts with passwords. ... >>disconnecting the Internet Modem, disabled all our Firewalls, but still ...
    (microsoft.public.windowsxp.general)
  • Re: Security concern with ping?
    ... > I have my linux box properly running squid and Jay's Firewall. ... After running a few internet ... Why may it be important to allow the internet to ping my ... To make the situation worse personal firewalls decide ...
    (comp.os.linux.networking)
  • Re: I just scanned months worth of posts, but still wonder about this basic question...
    ... > I'd strongly recommend a hardware device such as a Netgear RP114. ... > Internet from each computer, whether or not any other is up and running. ... I tired many other firewalls but Kerio's one ... difference over the internet connection) you cat just plus the modem ...
    (comp.security.firewalls)
  • Re: service.exe
    ... Services.exe is a necessary file/process for Windows 2000/XP. ... run a virus scan on your computer with the very latest virus definitions. ... applications/process are listening or connected to the internet. ... Personal firewalls can also be configured not to bother you again ...
    (microsoft.public.win2000.security)