--===============0957033101==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-DO0oTRn2Emhd6xJz0lv5"


--=-DO0oTRn2Emhd6xJz0lv5
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> [...] In pure CS terms,
> "doing layer 7 stuff" comes pretty close to rocket science. Read
> Varghese, and remember that without actual algorithms, you crash into
> the speed of SRAM. Even on a fancy multicore whizz-bang NPU.


Besides the question of how hard/accurate it is to perform
protocol-application-correlation, one also has to consider the impact on
the average administrator.

If we start seeing firewalls where your rule set reads like:

allow $internal_net Mozilla $external_net port_80
deny $internal_net InternetExplorer $external_net port_80
allow $internal_net gnome-meeting $external_net port_any
....etc...

....then I would consider it breaking new ground. If the end-user of
firewalls can create their policies based on application rather than
just IP-Port pairs, then it's a shift from current network firewalls.

And yes, I'm aware that we've been able to permit/deny *specific
applications* access to the Internet since at least the mid-nineties
(that's when I worked *cough*last*cough* with MS Proxy server and custom
Winsock proxy assignments for applications). I'm sure there are probably
other proxy-based firewalls that have similar capabilities.

But the article seems to refer to non-proxy, inline firewalls/IPS
doodads. For those, application recognition may be ground breaking news.
If the market will accept them remains to be seen. (CxO: My
mobile-tunnlier-gadget can get to the Internet. Make it work!

Cheers,
Frank




--=20
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.


--=-DO0oTRn2Emhd6xJz0lv5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQBHV3S8jt2fjCi9PsERAjLSAJ9nZTuIWG+DJlRQKTUgA5 IGavM2tQCeOQet
GSn37hXTxLBzH4DcTolaDCw=
=4IRE
-----END PGP SIGNATURE-----

--=-DO0oTRn2Emhd6xJz0lv5--


--===============0957033101==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0957033101==--