Firewall Wizards mailing list archives
Re: Dark Reading: Firewalls Ready for Evolutionary Shift
From: david () lang hm
Date: Thu, 6 Dec 2007 13:50:48 -0800 (PST)
On Wed, 5 Dec 2007, Frank Knobbe wrote:
On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:[...] In pure CS terms, "doing layer 7 stuff" comes pretty close to rocket science. Read Varghese, and remember that without actual algorithms, you crash into the speed of SRAM. Even on a fancy multicore whizz-bang NPU.Besides the question of how hard/accurate it is to perform protocol-application-correlation, one also has to consider the impact on the average administrator. If we start seeing firewalls where your rule set reads like: allow $internal_net Mozilla $external_net port_80 deny $internal_net InternetExplorer $external_net port_80 allow $internal_net gnome-meeting $external_net port_any ...etc... ...then I would consider it breaking new ground. If the end-user of firewalls can create their policies based on application rather than just IP-Port pairs, then it's a shift from current network firewalls.
I'm not sure you really want to try and tell the difference between Mozilla, Firefox, Internet Explorer, Opera, Lynx, etc on the firewall (especially since some of these can be configured to lie and claim that they are others to work around broken websites) what you need to be able to do is to enforce valid HTTP, and work to detect the common ways of tunneling other things across it. if you are running on the client machine you can try to figure out what application is running and make decisions on that (see App Armor for Linux, and personal firewalls for Windows), but once you are off the client systems you can't make more then an educated guess about what application is generating the network traffic. David Lang
And yes, I'm aware that we've been able to permit/deny *specific applications* access to the Internet since at least the mid-nineties (that's when I worked *cough*last*cough* with MS Proxy server and custom Winsock proxy assignments for applications). I'm sure there are probably other proxy-based firewalls that have similar capabilities. But the article seems to refer to non-proxy, inline firewalls/IPS doodads. For those, application recognition may be ground breaking news. If the market will accept them remains to be seen. (CxO: My mobile-tunnlier-gadget can get to the Internet. Make it work! :) Cheers, Frank
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 01)
- <Possible follow-ups>
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Jim Seymour (Dec 01)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Thomas Ptacek (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Marcus J. Ranum (Dec 05)
- Message not available
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Frank Knobbe (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift david (Dec 06)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Dave Piscitello (Dec 10)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift ArkanoiD (Dec 11)
- Re: Dark Reading: Firewalls Ready for Evolutionary Shift Darren Reed (Dec 10)