Wish List for Firewall products

Discussion in 'other firewalls' started by Checkout, Feb 27, 2003.

Thread Status:
Not open for further replies.
  1. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I have an idea that effective firewalls should be available as two separate components, Core and Application layers, with sufficient interoperability that you can buy one from one company and the other from someone else. My wish list focuses on the Core layer, but contributions are welcomed to both.

    Core Layer
    • Inbound
      • Unrestricted
        The default, unrestricted will allow incoming connections to any of your applications which are bound to your target ports. Highly undesirable.
      • Stealthed
        Stealthed ports will silently ignore any connection attempts, rendering them "invisible" to the Internet. Very desirable.
      • Semi-Stealthed
        As far as I know, this is a new idea. A semi-stealthed port will only accept incoming connections from IP addresses you contacted first (solicited) and only for the duration of the current session. All unsolicited connections will be stealthed.
      • IP Restricted
        This means that you can specify which IP addresses or URLs that a port will accept connections from. Can be combined with semi-stealth for additional protection.
      • Port Redirected
        The opposite of stealth and semi-stealth, more or less. Any unsolicited incoming connections are redirected to another port where an application such as a Personal Honey Trap can handle them - ideal for gathering data on "rogue" sites and users, preferably for sharing on things like HOSTS files and script analysers.
    • Outbound
      • Unrestricted
        Any of your applications can contact any IP address using this port.
      • Stealthed
        Anything your applications send to this port are discarded without transmission.
      • Semi-Stealthed
        Applications may only wait for incoming connections; they cannot initiate connections. Useful for anti-DoS and trojan attacks.
      • IP Restricted
        Applications can only contact predefined IP addresses. For example, VisualZone could be limited to contacting the author's site for updates, and DShield to report intrusion data.
      • Port Redirected
        Any otherwise unrestricted access to the Internet can be redirected to an internal port, where a security application can gather data on unauthorised attempts to contact the Internet. Ideal for identifying trojans and keyloggers.
    I don't think any of the above are mutually exclusive, though there's obviously an order of precedence required. I would like to see port and application configurations (might as well call them rules) as shared distribution files, like The Proxomitron does, so that "best of breed" rules can be tested and endorsed.

    From my point of view, the very lowest level (port control) should prevail, and the highest level (application control) least, but I'm willing to be persuaded otherwise. Good programming should be able to identify conflicts, for Pity's sake! But what an interface it's going to be...and I'm very willing to assist any potential developers with the ergonomics for such a project.

    Application Layer
    This layer, I think, is the realm of dynamic (resident) anti-viruses, anti-trojans and script analysers.

    Thoughts here are welcomed.

    Checkout

    - Fixed the "list" tags - LowWaterMark
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    An interesting idea Checkout. :)

    Kind of the ultimate in component level configuration capability. All developed to a common interoperable specification, allowing the user to decide just what they want (things like - which engine, which interface, etc.)

    The problem is trying to convince the vendors that there is some advantage to them in cooperating in such an effort. :doubt:
     
  3. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Supposing that you talk about Windows based personal firewalls, I don't know if all this is feasable. It would probably mean hacking the Windows TCP/IP stack, since you want to have conctrol at ISO layers 2/3/4 (for your core system) and 7 (for the applications system).

    As far as I can see, most dedicated firewalls offer most of the requested features and by using a (dedicated) proxy system you can add application layer functionality.
    Take my (www.e-smith.org) e-smith box. It's a Linux (red hat) based firewall, that, using iptables, knows a lot about the core functions.
    This same box handles ftp and e-mail (smtp) proxy with virus scanning and anti-spam functions.

    Integrating both (core and application) systems on Windows... I don't know if you'd want that :rolleyes:
     
Loading...
Thread Status:
Not open for further replies.