Marcus J. Ranum wrote:

>Jim Seymour wrote:
>
>
>>What
>>you're telling me is just skip the firewall entirely, and put together
>>a comprehensive set of "firewall router" packet filtering rules.
>>
>>

>
>That's not what I'm saying. I'm saying is that the action is all
>at layer-7 these days. Use a router (or 2 tin cans and some string)
>to apply broad, simple, controls at the network layer and make
>sure you are directing traffic to locked down layer-7 services
>on machines that you think can handle them.
>
>Firewalls have always consisted (in my mind, anyhow..) of
>"block and carry" - think of the basic stuff the firewall does
>as blocking big chunks of traffic so that your layer-7 picture
>is refined to the point where you can effectively reason
>about it. In that model a proxy is just a "carry" tool for
>layer-7 traffic - and you can then reason about the security
>controls (if you're using more than just a plug-board
>proxy, which is axiomatically the same as a router
>permit port ACL) in the proxy.
>
>


Before getting too carried away that all "layer 7" firewalls
are the ultimate, how many of them are "layer 7" and how
many of them are "layer 5"?

If I can run IPoverDNS through your "layer 7 firewall", is it
really being a "layer 7 firewall" or a "layer 5 firewall"?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards