Layer 3 / Layer 7 integration

["P OS" <research.questions.contact () googlemail com>]

Hello All,
    We have a Netscreen firewall, but we are also open to other
alternatives. I am wondering if the following is possible:

- clients connect to our system using a custom protocol on top of TCP/IP

- a unique userId will be used to identify each user, as source ip is not
enough

- each client can only be allowed to connect to 1 IP per day.
 No matter how many times a client logs on/off during the day, they must be
assigned the same IP.
The allocation of IP address should be random, but I imagine this should be
ok to script (flush table at midnight etc.).
This IP will then change the following day.
If the client has an established connection, do not inspect the packets as
we are worried about latency.
A strange business requirement, I know!

- To achieve these requirements, I would like to know if the following is
possible:

     - At layer 3, if the connection is already established, let the
connection process without any inspection.
     - At layer 7, if the connection is not already established, inspect the
unique userId in the protocol and forward onto assigned IP.

- I am just wondering, does this sound reasonable or would there be any
better alternatives? Thank-you very much for your time, I appreciate your
help.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards