Marcus J. Ranum wrote:

>Jim Seymour wrote:
>>you're telling me is just skip the firewall entirely, and put together
>>a comprehensive set of "firewall router" packet filtering rules.

>That's not what I'm saying. I'm saying is that the action is all
>at layer-7 these days. Use a router (or 2 tin cans and some string)
>to apply broad, simple, controls at the network layer and make
>sure you are directing traffic to locked down layer-7 services
>on machines that you think can handle them.
>Firewalls have always consisted (in my mind, anyhow..) of
>"block and carry" - think of the basic stuff the firewall does
>as blocking big chunks of traffic so that your layer-7 picture
>is refined to the point where you can effectively reason
>about it. In that model a proxy is just a "carry" tool for
>layer-7 traffic - and you can then reason about the security
>controls (if you're using more than just a plug-board
>proxy, which is axiomatically the same as a router
>permit port ACL) in the proxy.

Before getting too carried away that all "layer 7" firewalls
are the ultimate, how many of them are "layer 7" and how
many of them are "layer 5"?

If I can run IPoverDNS through your "layer 7 firewall", is it
really being a "layer 7 firewall" or a "layer 5 firewall"?


firewall-wizards mailing list