Re: Firewall Primitives

[Victoria of Borg <vicofborg () myrealbox com>]

On Mon, 2002-11-04 at 19:24, George Capehart wrote:
> This is interesting.  So, a firewall really should/could/might be a
> multi-layer, multi-protocol switch . . .

That would be how I read it. A firewall should be able to inspect and
make access-decisions on content anywhere from the ip level all the way
up to (and beyond) the application level. Anything less in an invitation
to circumvention.

A firewall needs to do more than just Keep The Bad Guys Out.  It also
needs to make sure my own users are not trying to be bad guys too. And
'bad guy' can be anything from active hack attempts, to creative ways to
get their IM working around that pesky firewall. With the ability to
encapsulate protocols within other protocols, it becomes even more
important that the firewall understand when that is happening. And that
requires very detailed content inspection.

This is why, IMHO of course, the abstract concept of "firewall" is in
reality a group of machines in most places.  A packet-filtering box
called a 'firewall', perhaps a connection-oriented 'firewall', one or
several, 'application-level gateways' (proxies, by most people's
naming), and sneaky QoS configs on the router(s). All of which serves as
an enforcement mechanism for the written policy.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards