Checkout
February 27th, 2003, 06:32 PM
I have an idea that effective firewalls should be available as two separate components, Core and Application layers, with sufficient interoperability that you can buy one from one company and the other from someone else. My wish list focuses on the Core layer, but contributions are welcomed to both.
Core Layer
Inbound
Unrestricted
The default, unrestricted will allow incoming connections to any of your applications which are bound to your target ports. Highly undesirable. Stealthed
Stealthed ports will silently ignore any connection attempts, rendering them "invisible" to the Internet. Very desirable. Semi-Stealthed
As far as I know, this is a new idea. A semi-stealthed port will only accept incoming connections from IP addresses you contacted first (solicited) and only for the duration of the current session. All unsolicited connections will be stealthed. IP Restricted
This means that you can specify which IP addresses or URLs that a port will accept connections from. Can be combined with semi-stealth for additional protection. Port Redirected
The opposite of stealth and semi-stealth, more or less. Any unsolicited incoming connections are redirected to another port where an application such as a Personal Honey Trap can handle them - ideal for gathering data on "rogue" sites and users, preferably for sharing on things like HOSTS files and script analysers.
Outbound
Unrestricted
Any of your applications can contact any IP address using this port. Stealthed
Anything your applications send to this port are discarded without transmission. Semi-Stealthed
Applications may only wait for incoming connections; they cannot initiate connections. Useful for anti-DoS and trojan attacks. IP Restricted
Applications can only contact predefined IP addresses. For example, VisualZone could be limited to contacting the author's site for updates, and DShield to report intrusion data. Port Redirected
Any otherwise unrestricted access to the Internet can be redirected to an internal port, where a security application can gather data on unauthorised attempts to contact the Internet. Ideal for identifying trojans and keyloggers.I don't think any of the above are mutually exclusive, though there's obviously an order of precedence required. I would like to see port and application configurations (might as well call them rules) as shared distribution files, like The Proxomitron does, so that "best of breed" rules can be tested and endorsed.
From my point of view, the very lowest level (port control) should prevail, and the highest level (application control) least, but I'm willing to be persuaded otherwise. Good programming should be able to identify conflicts, for Pity's sake! But what an interface it's going to be...and I'm very willing to assist any potential developers with the ergonomics for such a project.
Application Layer
This layer, I think, is the realm of dynamic (resident) anti-viruses, anti-trojans and script analysers.
Thoughts here are welcomed.
Checkout
- Fixed the "list" tags - LowWaterMark
Core Layer
Inbound
Unrestricted
The default, unrestricted will allow incoming connections to any of your applications which are bound to your target ports. Highly undesirable. Stealthed
Stealthed ports will silently ignore any connection attempts, rendering them "invisible" to the Internet. Very desirable. Semi-Stealthed
As far as I know, this is a new idea. A semi-stealthed port will only accept incoming connections from IP addresses you contacted first (solicited) and only for the duration of the current session. All unsolicited connections will be stealthed. IP Restricted
This means that you can specify which IP addresses or URLs that a port will accept connections from. Can be combined with semi-stealth for additional protection. Port Redirected
The opposite of stealth and semi-stealth, more or less. Any unsolicited incoming connections are redirected to another port where an application such as a Personal Honey Trap can handle them - ideal for gathering data on "rogue" sites and users, preferably for sharing on things like HOSTS files and script analysers.
Outbound
Unrestricted
Any of your applications can contact any IP address using this port. Stealthed
Anything your applications send to this port are discarded without transmission. Semi-Stealthed
Applications may only wait for incoming connections; they cannot initiate connections. Useful for anti-DoS and trojan attacks. IP Restricted
Applications can only contact predefined IP addresses. For example, VisualZone could be limited to contacting the author's site for updates, and DShield to report intrusion data. Port Redirected
Any otherwise unrestricted access to the Internet can be redirected to an internal port, where a security application can gather data on unauthorised attempts to contact the Internet. Ideal for identifying trojans and keyloggers.I don't think any of the above are mutually exclusive, though there's obviously an order of precedence required. I would like to see port and application configurations (might as well call them rules) as shared distribution files, like The Proxomitron does, so that "best of breed" rules can be tested and endorsed.
From my point of view, the very lowest level (port control) should prevail, and the highest level (application control) least, but I'm willing to be persuaded otherwise. Good programming should be able to identify conflicts, for Pity's sake! But what an interface it's going to be...and I'm very willing to assist any potential developers with the ergonomics for such a project.
Application Layer
This layer, I think, is the realm of dynamic (resident) anti-viruses, anti-trojans and script analysers.
Thoughts here are welcomed.
Checkout
- Fixed the "list" tags - LowWaterMark