l7-filter

[Stephan Hermann]

Hey Ante,

Am Sunday 05 June 2005 11:22 schrieb Ante Karamatić:
> On Sun, 2005-06-05 at 11:11 +0200, Ante Karamatić wrote:
> > Fabio said patching of kernel is possible if userland tools would
> > be developed. That's why I'm crossposting this, cause I know there
> > are few people interested in creating easy to use firewall on
> > ubuntu-devel.
>

As I said on IRC:

A firewall is a concept, not a piece of software, even a "personal 
firewall" is not only a piece of software.

Regarding the "home user", what he needs is a simple way to manage 
incoming and outgoing requests.
Regarding the e.g. "business user" aka "a company" they need higher 
levels of security.

The easiest thing to do, is to allowing or denying applications to have 
an incoming/outgoing connection. Like MS is doing it with their 
personal firewall, it's the easiest way to convience the "home user" to 
use such a tool. Incoming connections accordingly.

To make it straight:

The "home user" doesn't know anything about OSI layers, packetfiltering 
or quality of service. He wants to do this:

"I want "this P2P Network", please let me use it. Application "P2PX" is 
this application which handles those connections. Let it go in and out 
as it wishes".

It means, it's enough to play around with osi layer 3+4 on router basis. 
For the "home user" there should be a list of applications which are 
already preconfigured for in- and outgoing ports.

++++++++++++++++++++++++++

Speaking of "business users" it's different.
They need "a bit" more controlling over their network. It means, there 
must be a solution for setting up a detailed, fine granulated solution.
The concept behind a "business solution" is more difficult, then for the 
most common "home user".
For a "business solution" you need to go from OSI 1 to OSI 7 in this 
order. You have to think about macfilter, packetfilter, proxy server 
and strong authentication for exceptions to special users inside the 
network. A really good example is "Securecomputing Sidewinder" as one 
part of such a concept. Together with "Securecomputing Safeword" and 
some other software parts, you can deal with a big network 
infrastructure and most of the things are done.

++++++++++++++++++++++++++

Well, after all, I don't know so much about P2P networks and other "home 
user" wishes, and all of my text right now is a quick shot.
But speaking of "security", it's not easy to find a "good solution". At 
least, for the "home user" it should be easy and transparent.
Most of the problems regarding "it security in a home enviroment" is, 
that the "normal home user" doesn't have any clue, what he's doing in 
this moment, he clicks this button or closing this port or filtering 
this application protocol.

Regards,

\sh
-- 
Stephan Hermann
eMail: sh at sourcecode.de JID: sh at linux-server.org
Tel.: +49700sourcecode Skype: s.hermann
Blog: http://linux.blogweb.de/