Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Layer 3 / Layer 7 integration
From: "Lord Sporkton" <lordsporkton () gmail com>
Date: Sun, 30 Nov 2008 18:09:39 -0800

I dont think i understand fully what you asking. It sounds like you
have some custom app that works in client server mode that hands out
IPs? and you want to inspect it? I think....

Its almost impossible to do app layer inspection on a custom protocol,
you would have to write you own inspection engine for it and then you
would need a firewall that supports customer inspect engines. Or you
could just write your own firewall...... Or you could run over a
standard protocal :)

Inspection at layer 3/4 is really very simple, layer3 only deals with
the tcp/ip stuff, so the layer3/4 inspection would only really look at
things like making sure seq# is correct after its established, which i
have never seen the ability to turn that off, but its very low level
and layer3/4 inspection causes almost no latency so far as i know.

Layer7 inspection on the other hand CAN cause latency if you overload
the firewall. However in this case since you are doing custom app, you
cant layer7 inspect that anyway, so no latency there :)

Hope that helps,

2008/11/28 P OS <research.questions.contact () googlemail com>:
Hello All,
    We have a Netscreen firewall, but we are also open to other
alternatives. I am wondering if the following is possible:

- clients connect to our system using a custom protocol on top of TCP/IP

- a unique userId will be used to identify each user, as source ip is not

- each client can only be allowed to connect to 1 IP per day.
 No matter how many times a client logs on/off during the day, they must be
assigned the same IP.
The allocation of IP address should be random, but I imagine this should be
ok to script (flush table at midnight etc.).
This IP will then change the following day.
If the client has an established connection, do not inspect the packets as
we are worried about latency.
A strange business requirement, I know!

- To achieve these requirements, I would like to know if the following is

     - At layer 3, if the connection is already established, let the
connection process without any inspection.
     - At layer 7, if the connection is not already established, inspect the
unique userId in the protocol and forward onto assigned IP.

- I am just wondering, does this sound reasonable or would there be any
better alternatives? Thank-you very much for your time, I appreciate your

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]