Firewall Wizards mailing list archives

Re: Layer 3 / Layer 7 integration

From: "ॐ aditya mukadam ॐ" <securescorp () gmail com>
Date: Tue, 2 Dec 2008 08:34:52 +0530

On Fri, Nov 28, 2008 at 8:53 PM, P OS
<research.questions.contact () googlemail com> wrote:

Hello All,
    We have a Netscreen firewall, but we are also open to other
alternatives. I am wondering if the following is possible:

- clients connect to our system using a custom protocol on top of TCP/IP

Do you mean that you would want to encapsulate ESP ?

- a unique userId will be used to identify each user, as source ip is not
enough

Ideally with remote access, unique userID is used to identify users.

- each client can only be allowed to connect to 1 IP per day.

Connect to 1 IP = same destination server ?  If this is correct, you
can create a profile with one destination and map this user to it.

 No matter how many times a client logs on/off during the day, they must be
assigned the same IP.

Do you mean same pool IP ?  Hmm well, I guess that is possible. Need
to check the manuals.

The allocation of IP address should be random, but I imagine this should be
ok to script (flush table at midnight etc.).
This IP will then change the following day.
If the client has an established connection, do not inspect the packets as
we are worried about latency.


This sounds bit strange. You do not want to inpsect packets of
established connection!  If screen commands are enabled at interface
level, there is no way you can 'not inspect' this traffic. Exceptions
can be created at policy level.

A strange business requirement, I know!

- To achieve these requirements, I would like to know if the following is
possible:

     - At layer 3, if the connection is already established, let the
connection process without any inspection.
     - At layer 7, if the connection is not already established, inspect the
unique userId in the protocol and forward onto assigned IP.

- I am just wondering, does this sound reasonable or would there be any
better alternatives? Thank-you very much for your time, I appreciate your
help.



Can you elaborate the overall requirement again please ?

Thanks,
Aditya Govind Mukadam
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Layer 3 / Layer 7 integration Lord Sporkton (Dec 01)
- <Possible follow-ups>
- Re: Layer 3 / Layer 7 integration ॐ aditya mukadam ॐ (Dec 02)