Firewall Wizards mailing list archives
Re: Layer 3 / Layer 7 integration
From: "Lord Sporkton" <lordsporkton () gmail com>
Date: Sun, 30 Nov 2008 18:09:39 -0800
I dont think i understand fully what you asking. It sounds like you have some custom app that works in client server mode that hands out IPs? and you want to inspect it? I think.... Its almost impossible to do app layer inspection on a custom protocol, you would have to write you own inspection engine for it and then you would need a firewall that supports customer inspect engines. Or you could just write your own firewall...... Or you could run over a standard protocal :) Inspection at layer 3/4 is really very simple, layer3 only deals with the tcp/ip stuff, so the layer3/4 inspection would only really look at things like making sure seq# is correct after its established, which i have never seen the ability to turn that off, but its very low level and layer3/4 inspection causes almost no latency so far as i know. Layer7 inspection on the other hand CAN cause latency if you overload the firewall. However in this case since you are doing custom app, you cant layer7 inspect that anyway, so no latency there :) Hope that helps, Lawrence 2008/11/28 P OS <research.questions.contact () googlemail com>:
Hello All, We have a Netscreen firewall, but we are also open to other alternatives. I am wondering if the following is possible: - clients connect to our system using a custom protocol on top of TCP/IP - a unique userId will be used to identify each user, as source ip is not enough - each client can only be allowed to connect to 1 IP per day. No matter how many times a client logs on/off during the day, they must be assigned the same IP. The allocation of IP address should be random, but I imagine this should be ok to script (flush table at midnight etc.). This IP will then change the following day. If the client has an established connection, do not inspect the packets as we are worried about latency. A strange business requirement, I know! - To achieve these requirements, I would like to know if the following is possible: - At layer 3, if the connection is already established, let the connection process without any inspection. - At layer 7, if the connection is not already established, inspect the unique userId in the protocol and forward onto assigned IP. - I am just wondering, does this sound reasonable or would there be any better alternatives? Thank-you very much for your time, I appreciate your help. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- -Lawrence _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Layer 3 / Layer 7 integration Lord Sporkton (Dec 01)
- <Possible follow-ups>
- Re: Layer 3 / Layer 7 integration ॐ aditya mukadam ॐ (Dec 02)