Re: Firewall Primitives

[George Capehart <capegeo () opengroup org>]

"Marcus J. Ranum" wrote:
> David Lang wrote:
> > this is only close to complete if you define a firewall as a packet filter
> > of some sort.
>
> Excellent point. I submit for your consideration the observation
> that firewall primitives should _all_ be connection-oriented. For
> services that are not inherently connection-based, an effective
> firewall should simulate connections to the best of its ability.
>
> > even if you tried to extend the type to include things like HTTP/FTP/etc
> > you still will need other parameters to configure the proxies.
>
> I also suggest you consider firewall primitives should include
> content searching - either on originated or returned content,
> as well as vectoring to a VPN or trusted interface. Possibly
> also include primitives for redirecting traffic and possibly
> simulating a session start, so the firewall can interact
> effectively with things like honeyd.

This is interesting.  So, a firewall really should/could/might be a
multi-layer, multi-protocol switch . . .
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards