Firewall Wizards mailing list archives

Re: Firewall Primitives

From: Cat Okita <cat () reptiles org>
Date: Mon, 11 Nov 2002 19:37:36 -0500 (EST)

On Sun, 3 Nov 2002, Marcus J. Ranum wrote:

David Lang wrote:

this is only close to complete if you define a firewall as a packet filter
of some sort.


Excellent point. I submit for your consideration the observation
that firewall primitives should _all_ be connection-oriented. For
services that are not inherently connection-based, an effective
firewall should simulate connections to the best of its ability.


With the number and variety of protocols out there, that seems to be a
very limiting idea. I won't claim that it doesn't have merit - but it seems
to lack practicality to me.  The (related) reason that I've yet to actually
install Gauntlet into a site was the lag in implementing $wonderful_new_thing
that the company demanded Right Now Please.

even if you tried to extend the type to include things like HTTP/FTP/etc
you still will need other parameters to configure the proxies.


I also suggest you consider firewall primitives should include
content searching - either on originated or returned content,
as well as vectoring to a VPN or trusted interface. Possibly
also include primitives for redirecting traffic and possibly
simulating a session start, so the firewall can interact
effectively with things like honeyd.


Wouldn't this be crossing over into the realm of the IDS? It would be nice
to have one box that 'does it all', but it seems to me that you'd be
talking about increased complexity, but not necessarily increased benefit.

I'd included a query about using 'redirect', but I suspect that it got
missed. I can certainly see defining 'redirect' as "send things to <foo>"
where <foo> is a program (local or external) or host... and that could
certainly be a mechanism for allowing content searching.

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."





_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall Primitives, (continued)
- - - Re: Firewall Primitives Devdas Bhagat (Nov 06)
    - Re: Firewall Primitives Marcus J. Ranum (Nov 06)
    - Re: Firewall Primitives Devdas Bhagat (Nov 07)
    - Re: Firewall Primitives Adam Shostack (Nov 09)
    - BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
    - Re: Firewall Primitives Mikael Olsson (Nov 09)
    - Re: Firewall Primitives Marcus J. Ranum (Nov 09)
    - Re: Firewall Primitives Christopher Hicks (Nov 10)
    - Re: Firewall Primitives Predrag Zivic (Nov 10)
    - Re: Firewall Primitives Stephen P. Berry (Nov 11)
    - Re: Firewall Primitives Cat Okita (Nov 11)
- Re: Firewall Primitives Chris Calabrese (Nov 05)
- Re: Firewall Primitives Alex Goldney (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 11)
  - Re: Firewall Primitives Paul Robertson (Nov 11)
  - Re: Firewall Primitives Stephen P. Berry (Nov 11)