Content-Type: multipart/signed; micalg=pgp-sha1;

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> [...] In pure CS terms,
> "doing layer 7 stuff" comes pretty close to rocket science. Read
> Varghese, and remember that without actual algorithms, you crash into
> the speed of SRAM. Even on a fancy multicore whizz-bang NPU.

Besides the question of how hard/accurate it is to perform
protocol-application-correlation, one also has to consider the impact on
the average administrator.

If we start seeing firewalls where your rule set reads like:

allow $internal_net Mozilla $external_net port_80
deny $internal_net InternetExplorer $external_net port_80
allow $internal_net gnome-meeting $external_net port_any

....then I would consider it breaking new ground. If the end-user of
firewalls can create their policies based on application rather than
just IP-Port pairs, then it's a shift from current network firewalls.

And yes, I'm aware that we've been able to permit/deny *specific
applications* access to the Internet since at least the mid-nineties
(that's when I worked *cough*last*cough* with MS Proxy server and custom
Winsock proxy assignments for applications). I'm sure there are probably
other proxy-based firewalls that have similar capabilities.

But the article seems to refer to non-proxy, inline firewalls/IPS
doodads. For those, application recognition may be ground breaking news.
If the market will accept them remains to be seen. (CxO: My
mobile-tunnlier-gadget can get to the Internet. Make it work!


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.4.7 (FreeBSD)



Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

firewall-wizards mailing list