Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift

david@xxxxxxx wrote:
On Wed, 5 Dec 2007, Frank Knobbe wrote:


On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:

[...] In pure CS terms,
"doing layer 7 stuff" comes pretty close to rocket science. Read
Varghese, and remember that without actual algorithms, you crash into
the speed of SRAM. Even on a fancy multicore whizz-bang NPU.

Besides the question of how hard/accurate it is to perform
protocol-application-correlation, one also has to consider the impact on
the average administrator.

If we start seeing firewalls where your rule set reads like:

allow $internal_net Mozilla $external_net port_80
deny $internal_net InternetExplorer $external_net port_80
allow $internal_net gnome-meeting $external_net port_any
...etc...

...then I would consider it breaking new ground. If the end-user of
firewalls can create their policies based on application rather than
just IP-Port pairs, then it's a shift from current network firewalls.


I'm not sure you really want to try and tell the difference between
Mozilla, Firefox, Internet Explorer, Opera, Lynx, etc on the firewall
(especially since some of these can be configured to lie and claim that
they are others to work around broken websites)

what you need to be able to do is to enforce valid HTTP, and work to
detect the common ways of tunneling other things across it.


That and control the content that gets sent back to the client.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: msn explorer
    ... Are you having this problem with Internet Explorer as well? ... you checked to make sure any firewalls you are running including possibly ... be blocking access, you would need to check the options and/or logs of such ... > i`ve managed to find out how to install msn explorer, but when i go to try ...
    (microsoft.public.windowsxp.accessibility)
  • Subprofile.com
    ... using Internet Explorer 5 or later, ... utilities (ad blockers, proxies, firewalls, etc.) are turned off. ... A referrer and a proxy (proxies). ...
    (microsoft.public.windowsxp.network_web)
  • Re: 2003 FTP with IIS
    ... >command line but not via Internet explorer. ... But IE has a tough time with firewalls, ... How To Configure Internet Explorer to Use Both the FTP PORT Mode and ... Jeff ...
    (microsoft.public.inetserver.iis)
  • Re: junk mail
    ... Prevent Pop-up Ad Windows When Browsing with Internet Explorer ... Spyware, Popups, Anti-Virus & Firewalls ... You may also be interested in Spyware Programs links:- ... > On my interent explorer home page, ...
    (microsoft.public.windowsxp.security_admin)