Firewall Wizards mailing list archives

Re: encapsulated protocols?

From: "Itai Dor-on" <silicom () netvision net il>
Date: Sat, 7 Feb 1998 13:13:20 +0200

In my opinion a "firewall" system is mainly a platform for developing
"security components" that handle specific application security issues.

Due to the current-near future Internet Infrastructure we are limited by the
current TCP/IP protocol security limitations and with that we have to deal
with.

It is not practical, under the current implementation for any vendor to
support all known Internet service that are Home made.

Thus, Security handling should rely on the specific software vendor

Any vendor writing applications that are Internet aware should take
security exploits in his product under consideration. and support  it.

I don't think that the direction of technologies like proxy/statefull
inspection
should change under the current Internet infrastrucutre.BUT the software
market should reinvent itself by selling or supporting security as an added
value/feature to the base product.


Suppose  I am customer that runs firewall-1 as my main security defense
and I was doing a market research for a new Internet mail server.

If had to make a discussion between one product that does all the basic
things and it's security is supported by the vendor throughout a special
implementation on the firewall-1 product OR another very sophisticated mail
server which is not supported.

I would consider the availability time to be prime factor for decision.
thus selecting the first.

The whole concept must change firewall vendors should supply the a
very sophisticated-but not application aware  OS (like some one we know -
M...).
It should provide the tools/programming language for an easy development
of packet/session content examination built  by various vendors.

To think of developing a pro-actively secure solution is not-serious in
this era of time. Providing a sophisticated platform for quick development
of security defense components is the only way to go at the moment.


Bye.

Itai Dor-on




p.s

I apologize in advance for my English grammar.


"Three may keep a secret, if two of them are dead"

- Benjamin Franklin, 1735

Current thread:

Re: IPsec and firewalls, (continued)
- - - Re: IPsec and firewalls carson (Feb 09)
    - Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
    - Re: IPsec and firewalls Ted Doty (Feb 09)
    - Re: encapsulated protocols? Aleph One (Feb 07)
    - Re: encapsulated protocols? Adam Shostack (Feb 07)
    - Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)
- Re: encapsulated protocols? Bennett Todd (Feb 04)
- Re: encapsulated protocols? Rick_Giering_at_mpg003 (Feb 06)
  - Re: encapsulated protocols? Jeromie Jackson (Feb 07)
- Re: encapsulated protocols? dharris (Feb 06)
- Re: encapsulated protocols? Itai Dor-on (Feb 07)
  - Re: encapsulated protocols? Marcus J. Ranum (Feb 09)
- Re: encapsulated protocols? Steve Bellovin (Feb 09)