[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements




Masataka,

	I agree with Marcus that the the term "firewall" has come to
mean two very different types of perimeter security, operating at the
IP layer or at the application layer.  I think relatively few
firewalls operate at the transport layer, per se, perhaps because of
the difficulty of concatenating TCP connections.  The IP layer
firewalls examine TCP and UDP port fields in making filtering or
screening decisions, but that is not the same as implementing
full-fledged transport layer processing.  (It's a minor form of cheating.)

	Application layer firewalls are generally a pain for users to
deal with.  Double logins are annoying and proxy application
processing is complex and may not preserve the application semantics.
It also creates the potential for processing bottlenecks.  One can
replace the client software on user machines within an enclave to
ameliorate the problems, but that is a difficult task in some
environments, e.g., with a heterogeneous set of user platforms and
with application software that is not available in source code form.

	Despite our differences of opinion on several details, we do
agree that application layer firewalls are not a desirable endpoint
for Internet security.

Steve