Firewall Wizards mailing list archives
Re: Firewall Primitives
From: Cat Okita <cat () reptiles org>
Date: Mon, 11 Nov 2002 19:37:36 -0500 (EST)
On Sun, 3 Nov 2002, Marcus J. Ranum wrote:
David Lang wrote:this is only close to complete if you define a firewall as a packet filter of some sort.Excellent point. I submit for your consideration the observation that firewall primitives should _all_ be connection-oriented. For services that are not inherently connection-based, an effective firewall should simulate connections to the best of its ability.
With the number and variety of protocols out there, that seems to be a very limiting idea. I won't claim that it doesn't have merit - but it seems to lack practicality to me. The (related) reason that I've yet to actually install Gauntlet into a site was the lag in implementing $wonderful_new_thing that the company demanded Right Now Please.
even if you tried to extend the type to include things like HTTP/FTP/etc you still will need other parameters to configure the proxies.I also suggest you consider firewall primitives should include content searching - either on originated or returned content, as well as vectoring to a VPN or trusted interface. Possibly also include primitives for redirecting traffic and possibly simulating a session start, so the firewall can interact effectively with things like honeyd.
Wouldn't this be crossing over into the realm of the IDS? It would be nice to have one box that 'does it all', but it seems to me that you'd be talking about increased complexity, but not necessarily increased benefit. I'd included a query about using 'redirect', but I suspect that it got missed. I can certainly see defining 'redirect' as "send things to <foo>" where <foo> is a program (local or external) or host... and that could certainly be a mechanism for allowing content searching. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Primitives, (continued)
- Re: Firewall Primitives Devdas Bhagat (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 07)
- Re: Firewall Primitives Adam Shostack (Nov 09)
- BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Mikael Olsson (Nov 09)
- Re: Firewall Primitives Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Christopher Hicks (Nov 10)
- Re: Firewall Primitives Predrag Zivic (Nov 10)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)
- Re: Firewall Primitives Cat Okita (Nov 11)
- Re: Firewall Primitives Paul Robertson (Nov 11)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)