RE: Single Exchange/OWA on LAN with Internet Access - a good

["Marcus J. Ranum" <mjr () ranum com>]

Ravdal, Stig wrote:
> Firewalls are certainly evolving beyond ports and addresses and we see
> more and more specialized firewalls (e.g. XML firewall) that can do
> application inspection.

Minor nitpick regarding history:
        Firewalls started out as devices that handled traffic mostly at Layer 7
with awareness of the lower layers where it was useful or necessary (i.e.: knowing
what interface a packet came in on is very useful).  There was a period of time
between 1994 and 2000 in which firewalls devolved into being little more than
a packet header parser with a TCP SYN tracker and interface tagger - this was
largely a result of implementation detail flaws in the first generation Layer 7
firewalls (namely, they were perceived as too slow and in some cases it
was a correct perception). So then we had years of these almost-firewalls
and now customers are realizing that the interesting security problems are
almost all at Layer 7(*) and thanks to packet-grepping ASICs you can now
have a bit of Layer 7 processing thrown into your firewall at almost no
performance cost (**)

        ...and the wheel comes full circle again.

        But don't get super excited when the marketing weenies tell you
it's a whole new idea, OK? It isn't. It's just a really good old idea. Computer
security is 99% really good old ideas that keep resurfacing whenever the
reality of the "gee whizzbang" you bought last year sets in.

mjr.
(* "duh")
(** look at the data rates experienced by some of the "deep packet
inspection firewalls" when you turn on L7 filtering for URLs, etc, and
you'll maybe learn something interesting) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards