|
-
October 9th, 2001, 04:22 PM
#1
Junior Member
Layer 7 Firewall
I am working on a project to find and Implement a "firewall" or ? to reject packets being sent from the Internet to our LAN containing certain words or phrases. We presently have a SonicWALL Pro but it of course has no ability to filter Unsolicited in bound packets.
Seems like what I need is a Layer 7 device. Working in conjunction with the SonicWALL is desirable, but not essential. If this new device replaces the SonicWALL that is OK.
Based on what research I have done thus far, it seems that Cisco has a device that could do this but costs nearly $20K. The Foundry ServerIronXL also seems to be a viable option at about a third of that price. But, both of these boxes seem to be overkill. We don't need any load balancing or switching. Just rejection of packets with unwanted words or phrases.
Our environment is pretty simple. Less than half a dozen servers, a Cisco 2600 router with 2 T1s to an ISP, 50 workstations and the SonicWALL.
There has to be something out there that can meet our needs for a few thousand dollars.
Any thoughts, ideas or comments on the quest or the hardware I have found thus far will be appreciated.
-
October 9th, 2001, 04:39 PM
#2
Just need a little clarification
Ok... what do you mean by filtering out packets with "unwanted words or phrases" ... what specific words or phrases are you trying to filter out (Example: Like profane or sexual oriented content on web pages?)
Just trying to understand what you want to filter out?
Simon Templer
\"Your work is to discover your world and then with all your heart give yourself to it. \"
-The Buddha
-
October 9th, 2001, 08:45 PM
#3
Senior Member
Well i don't know about a "layer 7 device", seems to me like you might be trying to reinvent the wheel. Why would you scan on a packet by packet basis? At work i use mime sweeper to check email content, you can set up your own rules for words or phrases or use ready made lists as well scanning for virii/viruses/whatever. I believe the same company does a web content filter that takes care of http/ftp - i've never used it but i have used cyber patrol which ain't too bad
Mime sweeper is available from http://www.mimesweeper.com
-
October 11th, 2001, 09:38 PM
#4
Sounds Like you are complicating this
I think a better question for you to ask it what other routes you can take to filter content. Trying to filter at the packet level may not be what you need.
For email their are different filters out there depending on what type of email you use, ie outlook, eudora, etc..
Then their is software that regulates what people on the net can surf.
Trying to filter at the front end would take too much time and their is already software out there that is free to use on the client end.
-
October 12th, 2001, 12:39 AM
#5
Re: Layer 7 Firewall
You want to filter packets based on phrases in them? Well, going through each and every packet would be overkill... Given that reassembling them all into whatever they represent and then filtering it would be quite a task...
Is this just keeping employees from looking at porn?
Are you worried about an particular protocols? HTTP? FTP? E-mail? Instant-messaging? I little more context would help.
[HvC]Terr: L33T Technical Proficiency
-
October 12th, 2001, 09:40 PM
#6
 Thanks Pete
I have been reading up on the IPTables and I am really glad that you posted that. I was learning IPCHAINS but now looking into IPTABLES. I have not read enough to get some good questions together however I did have one early on.
There was a mention about the rules getting reset when the server was rebooted. First off why does it do that? Second how do you prevent that? If that is still an issue
-
October 12th, 2001, 09:48 PM
#7
Senior Member
iptables
There was a mention about the rules getting reset when the server was rebooted. First off why does it do that? Second how do you prevent that? If that is still an issue
Iptables is a kernel level packet protection. It HAS to be reloaded at every boot. In order to prevent losing your ruleset, you need to make a ruleset script and add it to your init scripts. Hope this helps.
-
October 12th, 2001, 10:24 PM
#8
Senior Member
Very true gaxprels, and if you've been a bit forgetful and built up a nice set of rules without scripting them "man iptables-save" is your bestest friend.
Wrong thread btw.
-
October 12th, 2001, 10:41 PM
#9
Member
::::::::::::::::::::::::::::::::
Basically what all these people are saying is that you do not need to buy a great big piece of silicone and plastic to filter obscenities.
We need more information to decide on excatly what program you may need, like what are the servers running and what protocols do the users have access to. You could switch over to a Cisco firewall, they have excellent customability to filter words and phrases from mail and ftp. Since you already have a 2600 router it would integrate at the lower layers on the router well.
::::::::::::::::::::::::::::::::
Tsk Tsk that \'vB Code is ON\' is really tempting me.. No bad prof.! BAD!
-
October 12th, 2001, 10:59 PM
#10
Senior Member
Errrm, no - how do i say this? i don't think that information is really relevant - sorry. You can stick a content filter between the gateway and the network and it doesn't make any difference whats running either side, as long as its tcp/ip networking - and it /always/ is.
I'm also interested in this cisco firewall that does content filtering - your not confusing this with context based access control are you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
