2008/3/26, Marcus J. Ranum :
> What you have done is rediscovered the "incoming traffic problem" -
> which is a primary property of firewalls that has been well-understood
> since the early 1990s. You're correct that many firewalls (especially
> the packet-oriented ones or the so-called 'stateful' ones) don't do
> anything useful at layer-7, and serve primarily to force traffic to an
> application service which needs to be tough enough to withstand
> direct attack specific to that service. And, yes, with things like
> "everything tunnelled over web services" remote procedure calls,
> the complete set of protocol options at layer-7 is too large to be
> controlled, enumerated, or understood - which means that effectively
> you are doomed to intermittent epic failures.

I think that the problem is a bit (yes, just a bit) more manageable than that.
Although there are the complete set of protocol options is very large, with good
design practices one can keep the set of actually used options small.

(Well, if everything had been designed with good practices in mind,
there was not
need for firewalls...
So the other short answer is "yes": as firewall is a bandaid solution,
they are not useful
anymore: you cannot do anything useful with a bandaid when the patient
had his head
blown off.)
firewall-wizards mailing list