Firewall Wizards mailing list archives

Re: Layer 3-7 Firewall.

From: mag () bunuel tii matav hu (Magosányi Árpád)
Date: Wed, 19 Mar 2003 15:16:55 +0000

A levelezÅ‘m azt hiszi, hogy George J. Jahchan a kÃ¶vetkezÅ‘eket Ãrta:

Is there a SPI firewall out there that is application-layer protocol
aware?


Doing stateful inspection up from packet level to application
level is just not feasible. The problem is that the state space
explodes in an unmanageable scale. (I will  not comment on
useability of stateful packet filtering routers now, which is
one of my favourite flame war topics).

To be honest, there are very few application level firewalls
out there which really do something above layer 3. One example
of the not-so-pathethic firewalls is Zorp, which can apply the
strongest control on application data among the firewalls I know.

A qualified case of perversity is to use a stateful packet filtering
code under an application layer firewall. I have seen such a beast
which contains an Zorp on top of fw-1, and called something like
hercules or whatever.
The reasoning behind this is that the packet filter is more 
resistive to attacks than the network stack and packet filter
code of the OS, about which in the case of fw-1 and Linux I am
a bit doubtful.

-- 
GNU GPL: csak tiszta forrÃ¡sbÃ³l
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Layer 3-7 Firewall. George J. Jahchan (Mar 19)
- RE: Layer 3-7 Firewall. Ben Nagy (Mar 19)
- Re: Layer 3-7 Firewall. Magosányi Árpád (Mar 19)
  - Re: Layer 3-7 Firewall. Darren Reed (Mar 19)
- <Possible follow-ups>
- Re: RE: Layer 3-7 Firewall. broyds (Mar 19)
- RE: Layer 3-7 Firewall. Stiennon,Richard (Mar 20)
- RE: Layer 3-7 Firewall. George J. Jahchan (Mar 20)