Isaac Van Name wrote:
>You have referred to packet-based
>firewalls as being outdated.

I'm not sure if they're "outdated" as much as "never were particularly good
to begin with"

Remember: popularity is not a reliable gauge of quality. The fact that most
of the firewalls that are fielded today are packet-based (with a smidgeon of
state-tracking thrown in) should concern anyone, when the vast majority
of attacks currently being fielded are above the packet layer. If you want to
look at things from my (admittedly weird) perspective, the current fondness
for "patch your software constantly" is proof positive that packet-based
firewalls don't (and never did) work except for at a very gross level.

The architecture of a "good firewall" would be some kind of layer-7
processor that did application protocol correctness verification and
minimization, as well as come content analysis and filtering. Of course
it'd have to do it extremely fast, or nobody'd want it. Which is why it
doesn't exist. To get that much layer-7 processing done at high speeds
you'd need silicon, and since silicon isn't particularly mutable (not the
fast kind, anyhow) you'd be constantly bumping against application
incompatibilities and that wouldn't sit well.

I guess what I'm saying is "hardly anyone actually WANTS a good firewall."


firewall-wizards mailing list