Firewall Wizards mailing list archives
RE: Single Exchange/OWA on LAN with Internet Access - a good
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 28 Nov 2005 15:26:01 -0500
Ravdal, Stig wrote:
Firewalls are certainly evolving beyond ports and addresses and we see more and more specialized firewalls (e.g. XML firewall) that can do application inspection.
Minor nitpick regarding history: Firewalls started out as devices that handled traffic mostly at Layer 7 with awareness of the lower layers where it was useful or necessary (i.e.: knowing what interface a packet came in on is very useful). There was a period of time between 1994 and 2000 in which firewalls devolved into being little more than a packet header parser with a TCP SYN tracker and interface tagger - this was largely a result of implementation detail flaws in the first generation Layer 7 firewalls (namely, they were perceived as too slow and in some cases it was a correct perception). So then we had years of these almost-firewalls and now customers are realizing that the interesting security problems are almost all at Layer 7(*) and thanks to packet-grepping ASICs you can now have a bit of Layer 7 processing thrown into your firewall at almost no performance cost (**) ...and the wheel comes full circle again. But don't get super excited when the marketing weenies tell you it's a whole new idea, OK? It isn't. It's just a really good old idea. Computer security is 99% really good old ideas that keep resurfacing whenever the reality of the "gee whizzbang" you bought last year sets in. mjr. (* "duh") (** look at the data rates experienced by some of the "deep packet inspection firewalls" when you turn on L7 filtering for URLs, etc, and you'll maybe learn something interesting) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Single Exchange/OWA on LAN with Internet Access - a good, (continued)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Paul Melson (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Behm, Jeffrey L. (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Kim, Cameron (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 21)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Matt Bazan (Nov 21)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Marcus J. Ranum (Nov 28)
- Message not available
- RE: Single Exchange/OWA on LAN with Internet Access - a good Thomas W Shinder (Nov 17)
- RE: Single Exchange/OWA on LAN with Internet Access - a good Ravdal, Stig (Nov 28)
- Re: Single Exchange/OWA on LAN with Internet Access - a good Julian M D (Nov 28)