Firewall Wizards mailing list archives
Re: Layer 3-7 Firewall.
From: mag () bunuel tii matav hu (Magosányi Árpád)
Date: Wed, 19 Mar 2003 15:16:55 +0000
A levelezĹ‘m azt hiszi, hogy George J. Jahchan a következĹ‘eket Ărta:
Is there a SPI firewall out there that is application-layer protocol aware?
Doing stateful inspection up from packet level to application level is just not feasible. The problem is that the state space explodes in an unmanageable scale. (I will not comment on useability of stateful packet filtering routers now, which is one of my favourite flame war topics). To be honest, there are very few application level firewalls out there which really do something above layer 3. One example of the not-so-pathethic firewalls is Zorp, which can apply the strongest control on application data among the firewalls I know. A qualified case of perversity is to use a stateful packet filtering code under an application layer firewall. I have seen such a beast which contains an Zorp on top of fw-1, and called something like hercules or whatever. The reasoning behind this is that the packet filter is more resistive to attacks than the network stack and packet filter code of the OS, about which in the case of fw-1 and Linux I am a bit doubtful. -- GNU GPL: csak tiszta forrásból _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Layer 3-7 Firewall. George J. Jahchan (Mar 19)
- RE: Layer 3-7 Firewall. Ben Nagy (Mar 19)
- Re: Layer 3-7 Firewall. Magosányi Árpád (Mar 19)
- Re: Layer 3-7 Firewall. Darren Reed (Mar 19)
- <Possible follow-ups>
- Re: RE: Layer 3-7 Firewall. broyds (Mar 19)
- RE: Layer 3-7 Firewall. Stiennon,Richard (Mar 20)
- RE: Layer 3-7 Firewall. George J. Jahchan (Mar 20)