On Wed, 5 Dec 2007, Frank Knobbe wrote:

> On Tue, 2007-12-04 at 15:12 -0600, Thomas Ptacek wrote:
> > [...] In pure CS terms,
> > "doing layer 7 stuff" comes pretty close to rocket science. Read
> > Varghese, and remember that without actual algorithms, you crash into
> > the speed of SRAM. Even on a fancy multicore whizz-bang NPU.

> Besides the question of how hard/accurate it is to perform
> protocol-application-correlation, one also has to consider the impact on
> the average administrator.
> If we start seeing firewalls where your rule set reads like:
> allow $internal_net Mozilla $external_net port_80
> deny $internal_net InternetExplorer $external_net port_80
> allow $internal_net gnome-meeting $external_net port_any
> ...etc...
> ...then I would consider it breaking new ground. If the end-user of
> firewalls can create their policies based on application rather than
> just IP-Port pairs, then it's a shift from current network firewalls.

I'm not sure you really want to try and tell the difference between
Mozilla, Firefox, Internet Explorer, Opera, Lynx, etc on the firewall
(especially since some of these can be configured to lie and claim that
they are others to work around broken websites)

what you need to be able to do is to enforce valid HTTP, and work to
detect the common ways of tunneling other things across it.

if you are running on the client machine you can try to figure out what
application is running and make decisions on that (see App Armor for
Linux, and personal firewalls for Windows), but once you are off the
client systems you can't make more then an educated guess about what
application is generating the network traffic.

David Lang

> And yes, I'm aware that we've been able to permit/deny *specific
> applications* access to the Internet since at least the mid-nineties
> (that's when I worked *cough*last*cough* with MS Proxy server and custom
> Winsock proxy assignments for applications). I'm sure there are probably
> other proxy-based firewalls that have similar capabilities.
> But the article seems to refer to non-proxy, inline firewalls/IPS
> doodads. For those, application recognition may be ground breaking news.
> If the market will accept them remains to be seen. (CxO: My
> mobile-tunnlier-gadget can get to the Internet. Make it work!
> Cheers,
> Frank

firewall-wizards mailing list