This is a discussion on Re: [fw-wiz] How automate firewall tests - Firewalls ; Wonderfully put as always, Marcus. I guess the question then is, what is the solution? Defense-in-depth, compartmentalization, and diligent patching all help, but surely there has got to be a way to build a better mouse trap - err - ...
Wonderfully put as always, Marcus. I guess the question then is, what
is the solution? Defense-in-depth, compartmentalization, and diligent
patching all help, but surely there has got to be a way to build a
better mouse trap - err - firewall.
What about the handful of L7 firewalls out there? Sidewinder and the
like? Don't they manage to keep up on fast links? Can you move the
processing into FPGAs or similar?
Its not that I want a silver bullet in a firewall, just that I want it
to do more than just be a hunk of metal in line.
On 8/20/06, Marcus J. Ranum
> Isaac Van Name wrote:
> >You have referred to packet-based
> >firewalls as being outdated.
> I'm not sure if they're "outdated" as much as "never were particularly good
> to begin with"
> Remember: popularity is not a reliable gauge of quality. The fact that most
> of the firewalls that are fielded today are packet-based (with a smidgeon of
> state-tracking thrown in) should concern anyone, when the vast majority
> of attacks currently being fielded are above the packet layer. If you want to
> look at things from my (admittedly weird) perspective, the current fondness
> for "patch your software constantly" is proof positive that packet-based
> firewalls don't (and never did) work except for at a very gross level.
> The architecture of a "good firewall" would be some kind of layer-7
> processor that did application protocol correctness verification and
> minimization, as well as come content analysis and filtering. Of course
> it'd have to do it extremely fast, or nobody'd want it. Which is why it
> doesn't exist. To get that much layer-7 processing done at high speeds
> you'd need silicon, and since silicon isn't particularly mutable (not the
> fast kind, anyhow) you'd be constantly bumping against application
> incompatibilities and that wouldn't sit well.
> I guess what I'm saying is "hardly anyone actually WANTS a good firewall."
> firewall-wizards mailing list
firewall-wizards mailing list