Ron DuFresne wrote:
[SNIP][snip large sig block]
'A HW firewall can only block at the protocol level for an entire machine but can not reliably deny access for one program and allow access for another program when they are using like protocols from the same machine.'
Still incorrect, as it seems folks are talking about packet filters only of one type or another. No one seems to be considering the high end in the firewall realm, and this might be due to the 'homeuser' tone of the thread, but, what about firewalls with application proxies? Of course these are not very common on a desktop or home machine...
There are many application proxies in use on the host these days, they are often transparent as well. An easy example might be any modern virus scanner which intercepts a communication stream and emulates the application protocol to inspect it for virii.
While I see what you are trying to say you are incorrect. There is no _off system_ firewall, hardware or software, that can differentiate like protocols and the representation of those protocols simply by being inline.
Let me illustrate..
$ wget www.yahoo.com ...output
$ nc www.yahoo.com 80 GET / HTTP/1.0 User-Agent: Wget/1.8.2 Host: www.yahoo.com Accept: */* Connection: Keep-Alive
...output
Barring a subtle difference in the way wget and nc build the tcp connection there is no way off system to differentiate the above two HTTP requests and there is no off system method to identify the requesting application.
Something that might make this mildly on topic for the list would be a discussion of the next logical statemets about enforcing access to the internet for specific applications using this method of thinking.
You can do anything that does not require a change on the host system.
Some suggestions:
* configure User-Agent validation * only allow specific protocols, limited to HTTP for example. * require user authentcation
Now, with all the products out there the list has, attempt these methods of restriction and then show us how it can be evaded or otherwise rendered useless by an application other than the intended. If you believe it cannot be evaded please show your work and defend your position.
Failing this type of discussion I too SCREAM NAZI
-Jason
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
