Firewall Wizards mailing list archives
Re: Layer 3 / Layer 7 integration
From: "ॐ aditya mukadam ॐ" <securescorp () gmail com>
Date: Tue, 2 Dec 2008 08:34:52 +0530
On Fri, Nov 28, 2008 at 8:53 PM, P OS <research.questions.contact () googlemail com> wrote:
Hello All, We have a Netscreen firewall, but we are also open to other alternatives. I am wondering if the following is possible: - clients connect to our system using a custom protocol on top of TCP/IP
Do you mean that you would want to encapsulate ESP ?
- a unique userId will be used to identify each user, as source ip is not enough
Ideally with remote access, unique userID is used to identify users.
- each client can only be allowed to connect to 1 IP per day.
Connect to 1 IP = same destination server ? If this is correct, you can create a profile with one destination and map this user to it.
No matter how many times a client logs on/off during the day, they must be assigned the same IP.
Do you mean same pool IP ? Hmm well, I guess that is possible. Need to check the manuals.
The allocation of IP address should be random, but I imagine this should be ok to script (flush table at midnight etc.). This IP will then change the following day. If the client has an established connection, do not inspect the packets as we are worried about latency.
This sounds bit strange. You do not want to inpsect packets of established connection! If screen commands are enabled at interface level, there is no way you can 'not inspect' this traffic. Exceptions can be created at policy level.
A strange business requirement, I know! - To achieve these requirements, I would like to know if the following is possible: - At layer 3, if the connection is already established, let the connection process without any inspection. - At layer 7, if the connection is not already established, inspect the unique userId in the protocol and forward onto assigned IP. - I am just wondering, does this sound reasonable or would there be any better alternatives? Thank-you very much for your time, I appreciate your help.
Can you elaborate the overall requirement again please ? Thanks, Aditya Govind Mukadam _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Layer 3 / Layer 7 integration Lord Sporkton (Dec 01)
- <Possible follow-ups>
- Re: Layer 3 / Layer 7 integration ॐ aditya mukadam ॐ (Dec 02)