Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 26 Nov 2007 14:01:15 -0500
Jim Seymour wrote:
What you're telling me is just skip the firewall entirely, and put together a comprehensive set of "firewall router" packet filtering rules.
That's not what I'm saying. I'm saying is that the action is all at layer-7 these days. Use a router (or 2 tin cans and some string) to apply broad, simple, controls at the network layer and make sure you are directing traffic to locked down layer-7 services on machines that you think can handle them. Firewalls have always consisted (in my mind, anyhow..) of "block and carry" - think of the basic stuff the firewall does as blocking big chunks of traffic so that your layer-7 picture is refined to the point where you can effectively reason about it. In that model a proxy is just a "carry" tool for layer-7 traffic - and you can then reason about the security controls (if you're using more than just a plug-board proxy, which is axiomatically the same as a router permit port ACL) in the proxy. With respect to the "stateful packet inspection" garbage; it's computer security's equivalent of homeopathy or accupuncture: people like it because it makes them feel better. It's a placebo. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)