Firewall Wizards mailing list archives
Re: RE: Layer 3-7 Firewall.
From: <broyds () rogers com>
Date: Wed, 19 Mar 2003 12:36:09 -0500
An example of a true L7 aware firewall is the Symantec Enterprise Firewall. I tested ours against useage of WebDAV extensions this morning and got this message (using sam spade): 03/19/03 12:31:28 Browsing http://www.xxx.xxx.ca Fetching http://www.xxx.xxx.ca/ ... OPTIONS / HTTP/1.1 Host: www.xxx.xxx.ca Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 501 Not Implemented MIME-Version: 1.0 Server: Simple, Secure Web Server 1.1 Date: Wed, 19 Mar 2003 17:31:28 GMT Connection: close Content-Type: text/html <HTML> <HEAD><TITLE>Firewall Error: Not Implemented</TITLE></HEAD> <BODY> <H1>Not Implemented</H1> The method that your browser attempted to use is either not allowed by the firewall or unknown to the firewall. <br> One of the following may be the reason for this error: <UL> <LI>Your browser attempted to perform an illegal operation,</LI> <LI>The form on the web page that was just executed contains an illegal <i> action</i>, or</LI> <LI>The firewall does not yet support the features required by the requested URL.</LI> </UL> <BR> The request seen by the firewall was: <PRE> OPTIONS / HTTP/1.1 Host: www.xxx.xxx.ca Connection: close User-Agent: Sam Spade 1.14 </PRE> </body></HTML> It allows HTTP GET and POST without problem (but verifies that strings are in bounds etc.) Simple SPI only ensures that the traffic stream is valid TCP. Checkpoint has an extra module that validates HTTP to some extent, acting as a true application proxy, but many sites don't use it because it reduces speed.
From: "Ben Nagy" <ben () iagu net> Date: 2003/03/19 Wed AM 10:12:56 EST To: <Firewall-Wizards () Compucenter org>, "'Firewall Wizards List'" <firewall-wizards () honor icsalabs com> Subject: RE: [fw-wiz] Layer 3-7 Firewall.-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of George J. Jahchan[...]Is there a SPI firewall out there that is application-layer protocol aware?Is there one that isn't? (FTP can't work without layer 7 "awareness" for example) Also, SPI is a Checkpoint word, and it is certainly L7 "aware" (whether it uses this awareness to measurably increase security is another question....) Perhaps you could clarify exactly what you mean? I don't want to sound glib, but the marketeers have made this kind of discussion treacherous unless we all know that we're talking about exactly the same question. ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Layer 3-7 Firewall. George J. Jahchan (Mar 19)
- RE: Layer 3-7 Firewall. Ben Nagy (Mar 19)
- Re: Layer 3-7 Firewall. Magosányi Árpád (Mar 19)
- Re: Layer 3-7 Firewall. Darren Reed (Mar 19)
- <Possible follow-ups>
- Re: RE: Layer 3-7 Firewall. broyds (Mar 19)
- RE: Layer 3-7 Firewall. Stiennon,Richard (Mar 20)
- RE: Layer 3-7 Firewall. George J. Jahchan (Mar 20)