Re: Layer 3 / Layer 7 integration

["Lord Sporkton" <lordsporkton () gmail com>]

I dont think i understand fully what you asking. It sounds like you
have some custom app that works in client server mode that hands out
IPs? and you want to inspect it? I think....

Its almost impossible to do app layer inspection on a custom protocol,
you would have to write you own inspection engine for it and then you
would need a firewall that supports customer inspect engines. Or you
could just write your own firewall...... Or you could run over a
standard protocal :)

Inspection at layer 3/4 is really very simple, layer3 only deals with
the tcp/ip stuff, so the layer3/4 inspection would only really look at
things like making sure seq# is correct after its established, which i
have never seen the ability to turn that off, but its very low level
and layer3/4 inspection causes almost no latency so far as i know.

Layer7 inspection on the other hand CAN cause latency if you overload
the firewall. However in this case since you are doing custom app, you
cant layer7 inspect that anyway, so no latency there :)

Hope that helps,
Lawrence



2008/11/28 P OS <research.questions.contact () googlemail com>:
> Hello All,
>     We have a Netscreen firewall, but we are also open to other
> alternatives. I am wondering if the following is possible:
>
> - clients connect to our system using a custom protocol on top of TCP/IP
>
> - a unique userId will be used to identify each user, as source ip is not
> enough
>
> - each client can only be allowed to connect to 1 IP per day.
>  No matter how many times a client logs on/off during the day, they must be
> assigned the same IP.
> The allocation of IP address should be random, but I imagine this should be
> ok to script (flush table at midnight etc.).
> This IP will then change the following day.
> If the client has an established connection, do not inspect the packets as
> we are worried about latency.
> A strange business requirement, I know!
>
> - To achieve these requirements, I would like to know if the following is
> possible:
>
>      - At layer 3, if the connection is already established, let the
> connection process without any inspection.
>      - At layer 7, if the connection is not already established, inspect the
> unique userId in the protocol and forward onto assigned IP.
>
> - I am just wondering, does this sound reasonable or would there be any
> better alternatives? Thank-you very much for your time, I appreciate your
> help.
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



-- 
-Lawrence
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards