|

»

Firewall Discussions

»

Firewall (securityfocus.com)

Re: Application Layer Firewal? There is such a thing?

View: New views

10 Messages — Rating Filter: Alert me

	Re: Application Layer Firewal? There is such a thing? by Joekim13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message do you need layer 7 inspection or layer 7 proxy? For proxy fw's sidewinder ( dont' really prefer to use them) or Symantec Gateway Security applicances ( symantec announced they are discontinuing). As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP blades in combination with a stateful inspection firewall. Check out the ISG line. Another decent layer 7 inspection fw is checkpoint. but costly and limited # of layer 7 inspection. Joe
	Re: Application Layer Firewal? There is such a thing? by Ivan . :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message There are more App based firewalls around, like http://www.netcontinuum.com/ cheers Ivan On 19 Oct 2006 21:21:59 -0000, joekim13@... <joekim13@...> wrote: > do you need layer 7 inspection or layer 7 proxy? > > For proxy fw's sidewinder ( dont' really prefer to use them) or Symantec Gateway Security applicances ( symantec announced they are discontinuing). > > As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP blades in combination with a stateful inspection firewall. Check out the ISG line. > > Another decent layer 7 inspection fw is checkpoint. but costly and limited # of layer 7 inspection. > > Joe >
	Re: Application Layer Firewal? There is such a thing? by Joekim13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message actually genous, a layer 3 firewall is simply a packet filter such as a router that is not state aware. Most firewalls these days will do some level layer 3~7 inspection. Such as keeping state and performing RFC, application specfic inspection. The top 3 firewalls in the market Juniper Netscreen, Checkpoints, Cisco all do more than layer 3 inspection. Joe On 10/24/06, Mario A. Spinthiras <mario@...> wrote: Ivan . wrote: > There are more App based firewalls around, like > > http://www.netcontinuum.com/ > > cheers > Ivan > > On 19 Oct 2006 21:21:59 -0000, joekim13@... <joekim13@...> > wrote: >> do you need layer 7 inspection or layer 7 proxy? >> >> For proxy fw's sidewinder ( dont' really prefer to use them) or >> Symantec Gateway Security applicances ( symantec announced they are >> discontinuing). >> >> As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP >> blades in combination with a stateful inspection firewall. Check out >> the ISG line. >> >> Another decent layer 7 inspection fw is checkpoint. but costly and >> limited # of layer 7 inspection. >> >> Joe >> > > Layer 7 proxy ? What does that do deny you from entering input in a CLI or clicking on a "cancel/apply/ok" button in a GUI ? A firewall is based on performing filtering tasks on a layer 3 protocol! I haven't really heard of such a firewall but heck ive seen stuff in our line of business that you dont see on any city's Saturday night. Firewall = application Its filtering process = Layer 3 (IP) EOF Have a nice day, Mario A. Spinthiras P.S id enjoy more challenging topics with regards to firewalls. Thank you.
	Re: Application Layer Firewal? There is such a thing? by Ivan . :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message top 3 includes Cisco? Cisco didn't even submit the Pix for this bakeoff??? They may be in the top 3 for market share, but I doubt they are even close when it comes to technology Deep Inspection Firewalls http://www.networkcomputing.com/showArticle.jhtml?articleID=160910889&pgno=1 cheers Ivan On 10/27/06, Joe Kim <joekim13@...> wrote: > actually genous, a layer 3 firewall is simply a packet filter such as a > router that is not state aware. Most firewalls these days will do some level > layer 3~7 inspection. Such as keeping state and performing RFC, application > specfic inspection. > > The top 3 firewalls in the market Juniper Netscreen, Checkpoints, Cisco all > do more than layer 3 inspection. > > Joe > > On 10/24/06, Mario A. Spinthiras <mario@...> wrote: > > Ivan . wrote: > > > There are more App based firewalls around, like > > > > > > http://www.netcontinuum.com/ > > > > > > cheers > > > Ivan > > > > > > On 19 Oct 2006 21:21:59 -0000, joekim13@... <joekim13@...> > > > wrote: > > >> do you need layer 7 inspection or layer 7 proxy? > > >> > > >> For proxy fw's sidewinder ( dont' really prefer to use them) or > > >> Symantec Gateway Security applicances ( symantec announced they are > > >> discontinuing). > > >> > > >> As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP > > >> blades in combination with a stateful inspection firewall. Check out > > >> the ISG line. > > >> > > >> Another decent layer 7 inspection fw is checkpoint. but costly and > > >> limited # of layer 7 inspection. > > >> > > >> Joe > > >> > > > > > > > > Layer 7 proxy ? What does that do deny you from entering input in a CLI > > or clicking on a "cancel/apply/ok" button in a GUI ? A firewall is based > > on performing filtering tasks on a layer 3 protocol! > > > > I haven't really heard of such a firewall but heck ive seen stuff in our > > line of business that you dont see on any city's Saturday night. > > > > Firewall = application > > > > Its filtering process = Layer 3 (IP) > > > > > > EOF > > > > > > Have a nice day, > > Mario A. Spinthiras > > > > > > P.S id enjoy more challenging topics with regards to firewalls. Thank you. > > > >
	SV: Application Layer Firewal? There is such a thing? by Jan Nielsen-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I work with Cisco security products every day, so take this with a pinch of salt :-) Actually, Cisco are right up there with the rest of them, especially with the 7.x software for ASA and PIX platforms, actually even Cisco routers now have layer 5-7 abilities in their firewall feature set. So not submitting for a bakeoff or any kind of "test" does not mean that their products can't go head to head with Juniper/Checkpoint and so on, it just means that Cisco didn't feel like this was the place for their product to be tested, also the term "Deep Inspection" seems a bit vague to me, almost every firewall device today has abilities reaching into layer 5-7. Jan Fra: listbounce@... [mailto:listbounce@...] På vegne af Ivan . Sendt: 27. oktober 2006 04:59 Til: Joe Kim Cc: Mario A. Spinthiras; firewalls@... Emne: Re: Application Layer Firewal? There is such a thing? top 3 includes Cisco? Cisco didn't even submit the Pix for this bakeoff??? They may be in the top 3 for market share, but I doubt they are even close when it comes to technology Deep Inspection Firewalls http://www.networkcomputing.com/showArticle.jhtml?articleID=160910889&pgno=1 cheers Ivan On 10/27/06, Joe Kim <joekim13@...> wrote: > actually genous, a layer 3 firewall is simply a packet filter such as > a router that is not state aware. Most firewalls these days will do > some level layer 3~7 inspection. Such as keeping state and performing > RFC, application specfic inspection. > > The top 3 firewalls in the market Juniper Netscreen, Checkpoints, > Cisco all do more than layer 3 inspection. > > Joe > > On 10/24/06, Mario A. Spinthiras <mario@...> wrote: > > Ivan . wrote: > > > There are more App based firewalls around, like > > > > > > http://www.netcontinuum.com/ > > > > > > cheers > > > Ivan > > > > > > On 19 Oct 2006 21:21:59 -0000, joekim13@... > > > <joekim13@...> > > > wrote: > > >> do you need layer 7 inspection or layer 7 proxy? > > >> > > >> For proxy fw's sidewinder ( dont' really prefer to use them) or > > >> Symantec Gateway Security applicances ( symantec announced they > > >> are discontinuing). > > >> > > >> As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP > > >> blades in combination with a stateful inspection firewall. Check > > >> out the ISG line. > > >> > > >> Another decent layer 7 inspection fw is checkpoint. but costly > > >> and limited # of layer 7 inspection. > > >> > > >> Joe > > >> > > > > > > > > Layer 7 proxy ? What does that do deny you from entering input in a > > CLI or clicking on a "cancel/apply/ok" button in a GUI ? A firewall > > is based on performing filtering tasks on a layer 3 protocol! > > > > I haven't really heard of such a firewall but heck ive seen stuff in > > our line of business that you dont see on any city's Saturday night. > > > > Firewall = application > > > > Its filtering process = Layer 3 (IP) > > > > > > EOF > > > > > > Have a nice day, > > Mario A. Spinthiras > > > > > > P.S id enjoy more challenging topics with regards to firewalls. Thank you. > > > >
	Re: Application Layer Firewal? There is such a thing? by Joekim13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message This is more fun than i thought. This FW bake off is from 2005!!! and yes i know the PIX is replaced by the ASA and yes i was talking about market share or according to Gartners magic quadrant for fw's. Joe On 10/26/06, Ivan . <ivanhec@...> wrote: top 3 includes Cisco? Cisco didn't even submit the Pix for this bakeoff??? They may be in the top 3 for market share, but I doubt they are even close when it comes to technology Deep Inspection Firewalls http://www.networkcomputing.com/showArticle.jhtml?articleID=160910889&pgno=1 cheers Ivan On 10/27/06, Joe Kim <joekim13@...> wrote: > actually genous, a layer 3 firewall is simply a packet filter such as a > router that is not state aware. Most firewalls these days will do some level > layer 3~7 inspection. Such as keeping state and performing RFC, application > specfic inspection. > > The top 3 firewalls in the market Juniper Netscreen, Checkpoints, Cisco all > do more than layer 3 inspection. > > Joe > > On 10/24/06, Mario A. Spinthiras <mario@...> wrote: > > Ivan . wrote: > > > There are more App based firewalls around, like > > > > > > http://www.netcontinuum.com/ > > > > > > cheers > > > Ivan > > > > > > On 19 Oct 2006 21:21:59 -0000, joekim13@... <joekim13@...> > > > wrote: > > >> do you need layer 7 inspection or layer 7 proxy? > > >> > > >> For proxy fw's sidewinder ( dont' really prefer to use them) or > > >> Symantec Gateway Security applicances ( symantec announced they are > > >> discontinuing). > > >> > > >> As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP > > >> blades in combination with a stateful inspection firewall. Check out > > >> the ISG line. > > >> > > >> Another decent layer 7 inspection fw is checkpoint. but costly and > > >> limited # of layer 7 inspection. > > >> > > >> Joe > > >> > > > > > > > > Layer 7 proxy ? What does that do deny you from entering input in a CLI > > or clicking on a "cancel/apply/ok" button in a GUI ? A firewall is based > > on performing filtering tasks on a layer 3 protocol! > > > > I haven't really heard of such a firewall but heck ive seen stuff in our > > line of business that you dont see on any city's Saturday night. > > > > Firewall = application > > > > Its filtering process = Layer 3 (IP) > > > > > > EOF > > > > > > Have a nice day, > > Mario A. Spinthiras > > > > > > P.S id enjoy more challenging topics with regards to firewalls. Thank you. > > > >
	Re: Application Layer Firewal? There is such a thing? by Joekim13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Now If i may add some more 'fun' to this thread. One reason why cisco didn't compete in this bake off 'could' of been because their firewall performance decreases significantly when major FW functionalities are turned on for example NAT or even passing small packets. Or they are big enough that they really could careless about small bake offs such as these. They'd much rather play the corporate political card and strong arm than winning technicaly in my experience... Anyone wonder why cisco never publishs #'s for their fw / asa/isr w/ small packets or mixed packet size? Also most 'independent' testers such as tolly or other groups are paid/for hire. And yes i also used to work w/ multi vendor fw's everyday On 10/27/06, Joe Kim <joekim13@...> wrote: This is more fun than i thought. This FW bake off is from 2005!!! and yes i know the PIX is replaced by the ASA and yes i was talking about market share or according to Gartners magic quadrant for fw's. Joe On 10/26/06, Ivan . <ivanhec@...> wrote: top 3 includes Cisco? Cisco didn't even submit the Pix for this bakeoff??? They may be in the top 3 for market share, but I doubt they are even close when it comes to technology Deep Inspection Firewalls http://www.networkcomputing.com/showArticle.jhtml?articleID=160910889&pgno=1 cheers Ivan On 10/27/06, Joe Kim <joekim13@...> wrote: > actually genous, a layer 3 firewall is simply a packet filter such as a > router that is not state aware. Most firewalls these days will do some level > layer 3~7 inspection. Such as keeping state and performing RFC, application > specfic inspection. > > The top 3 firewalls in the market Juniper Netscreen, Checkpoints, Cisco all > do more than layer 3 inspection. > > Joe > > On 10/24/06, Mario A. Spinthiras < mario@...> wrote: > > Ivan . wrote: > > > There are more App based firewalls around, like > > > > > > http://www.netcontinuum.com/ > > > > > > cheers > > > Ivan > > > > > > On 19 Oct 2006 21:21:59 -0000, joekim13@... < joekim13@...> > > > wrote: > > >> do you need layer 7 inspection or layer 7 proxy? > > >> > > >> For proxy fw's sidewinder ( dont' really prefer to use them) or > > >> Symantec Gateway Security applicances ( symantec announced they are > > >> discontinuing). > > >> > > >> As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP > > >> blades in combination with a stateful inspection firewall. Check out > > >> the ISG line. > > >> > > >> Another decent layer 7 inspection fw is checkpoint. but costly and > > >> limited # of layer 7 inspection. > > >> > > >> Joe > > >> > > > > > > > > Layer 7 proxy ? What does that do deny you from entering input in a CLI > > or clicking on a "cancel/apply/ok" button in a GUI ? A firewall is based > > on performing filtering tasks on a layer 3 protocol! > > > > I haven't really heard of such a firewall but heck ive seen stuff in our > > line of business that you dont see on any city's Saturday night. > > > > Firewall = application > > > > Its filtering process = Layer 3 (IP) > > > > > > EOF > > > > > > Have a nice day, > > Mario A. Spinthiras > > > > > > P.S id enjoy more challenging topics with regards to firewalls. Thank you. > > > >
	RE: Application Layer Firewal? There is such a thing? by Brandon Shoemaker :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. We're watching this market. Here is a collection of links I've accumulated. Brandon Shoemaker Security Analyst VEGAS.com _________________________ http://www.networkworld.com/news/2005/120505-firewalls.html http://www.webappsec.org/projects/wafec/ http://www.bluecoat.com/solutions/security/reverseproxy.html http://www.isaserver.org/articles/What-is-ISA-2006-Firewall.html http://www.f5.com/products/TrafficShield/ http://www.citrix.com/English/ps2/products/product.asp?contentID=25636 http://www.netcontinuum.com/products/productLines/index.cfm http://www.imperva.com/products/securesphere/web_application_firewall.html http://www.protegrity.com/defiancetms.html http://www.checkpoint.com/products/web_intelligence/index.html From: listbounce@... [mailto:listbounce@...] On Behalf Of Joe Kim Sent: Friday, October 27, 2006 1:04 PM To: Ivan . Cc: Mario A. Spinthiras; firewalls@... Subject: Re: Application Layer Firewal? There is such a thing? Now If i may add some more 'fun' to this thread. One reason why cisco didn't compete in this bake off 'could' of been because their firewall performance decreases significantly when major FW functionalities are turned on for example NAT or even passing small packets. Or they are big enough that they really could careless about small bake offs such as these. They'd much rather play the corporate political card and strong arm than winning technicaly in my experience... Anyone wonder why cisco never publishs #'s for their fw / asa/isr w/ small packets or mixed packet size? Also most 'independent' testers such as tolly or other groups are paid/for hire. And yes i also used to work w/ multi vendor fw's everyday On 10/27/06, Joe Kim <joekim13@...> wrote: This is more fun than i thought. This FW bake off is from 2005!!! and yes i know the PIX is replaced by the ASA and yes i was talking about market share or according to Gartners magic quadrant for fw's. Joe On 10/26/06, Ivan . <ivanhec@...> wrote: top 3 includes Cisco? Cisco didn't even submit the Pix for this bakeoff??? They may be in the top 3 for market share, but I doubt they are even close when it comes to technology Deep Inspection Firewalls http://www.networkcomputing.com/showArticle.jhtml?articleID=160910889&pgno=1 cheers Ivan On 10/27/06, Joe Kim <joekim13@...> wrote: > actually genous, a layer 3 firewall is simply a packet filter such as a > router that is not state aware. Most firewalls these days will do some level > layer 3~7 inspection. Such as keeping state and performing RFC, application > specfic inspection. > > The top 3 firewalls in the market Juniper Netscreen, Checkpoints, Cisco all > do more than layer 3 inspection. > > Joe > > On 10/24/06, Mario A. Spinthiras < mario@...> wrote: > > Ivan . wrote: > > > There are more App based firewalls around, like > > > > > > http://www.netcontinuum.com/ > > > > > > cheers > > > Ivan > > > > > > On 19 Oct 2006 21:21:59 -0000, joekim13@... < joekim13@...> > > > wrote: > > >> do you need layer 7 inspection or layer 7 proxy? > > >> > > >> For proxy fw's sidewinder ( dont' really prefer to use them) or > > >> Symantec Gateway Security applicances ( symantec announced they are > > >> discontinuing). > > >> > > >> As for fw's i'd recommend a Netscreen fw as they can have IPS/IDP > > >> blades in combination with a stateful inspection firewall. Check out > > >> the ISG line. > > >> > > >> Another decent layer 7 inspection fw is checkpoint. but costly and > > >> limited # of layer 7 inspection. > > >> > > >> Joe > > >> > > > > > > > > Layer 7 proxy ? What does that do deny you from entering input in a CLI > > or clicking on a "cancel/apply/ok" button in a GUI ? A firewall is based > > on performing filtering tasks on a layer 3 protocol! > > > > I haven't really heard of such a firewall but heck ive seen stuff in our > > line of business that you dont see on any city's Saturday night. > > > > Firewall = application > > > > Its filtering process = Layer 3 (IP) > > > > > > EOF > > > > > > Have a nice day, > > Mario A. Spinthiras > > > > > > P.S id enjoy more challenging topics with regards to firewalls. Thank you. > > > >
	Re: Application Layer Firewal? There is such a thing? by Marios A. Spinthiras :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I definitely do not have the brain cells available to flame people on a mailing list that ironically suggested that i am an idiot by using descriptive words such as a "genius" . Therefore I will reallocate my brain cells into explaining a few things that could clarify this thread and hopefully stop the IT wannabes from talking nonsense and inspire the true believers and IT enthusiasts. LAYER7 : APPLICATION - - - - LAYER 3: NETWORK - - From what I have derived since checkpoint was mentioned and so on , you are referring to a firewall that performs inspection on the payload within the packet in order to judge if it is destined for its required destination derived from the packet header. An example of such a process is checkpoint checking for shellcode in a packet that is destined for port 80 TCP (which is web). That could possibly mean a security hole exploitation since shell code has no business on 80 TCP , thus it drops the packet. NOT LAYER 7 FIREWALL in any way! It simply dissects the packet to retrieve its payload , passes it through a filtering list and identifies the type of traffic and if the type of traffic is allowed to it's destination. This might be done in application layers on the actual firewall but that has nothing to do with the fact that it simply opened up a layer 3 packet , viewed , blocked/allowed , and moved on. The definition of a firewall (by definitive process) has nothing to do with layer 7 on the OSI , disregarding the fact that the actual firewall IS software that reaches layer 7. As far as the filtering it performs it remains up to layer 3. The reason cisco didnt implement such idiocy is very sensible. Cisco runs on a specific platform , a specific IOS , a specific handling , and it is all matches very well I might add. If they added such a filtering process which would be dominating the available processor and memory resources of a router , imagine how it can change things form a simple 8xx to a 6xxx. Plus the PIX isnt true IOS which makes it a sad story. Anything else running IOS gives it the honour of a CISCO branded device. YOU CANNOT DOUBT CISCO since they are running the very backbone that made it possible for you to be reading my words and for me to have read the fool that used a relevant amount of irony earlier on this thread aimed at me. Layer 7 inspection? For the slow minded. Does not help , adds needless waste of resources , and cost. This isnt my two pense , call it more like a ten pound note. Warm Regards and have a wonderful weekend, Mario A. Spinthiras Netway LTD Nicosia, Cyprus
	Re: Application Layer Firewal? There is such a thing? by Joekim13 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I like to disagree. Cisco's IOS does not run the 'back bone' of the internet. Try more like Junos. .More and more tier 1 providers are moving over to Junos as it is a more stable OS with superior performance and uptime and the entire OS / hardware is modular and redundant including routing engine. Early days of checkpoint Pre NG-AI or other 'application aware' firewalls it simply looked @ layer 3~7 to derive application state and to allow or deny that traffic EVEN if the src,dst ip addresses matched and the 3 way tcp hand shake was valid. Your example of inspecting 'disecting' shell code out of http traffic, that in fact is a functionality that is 'layer 7'. It needs to look BEYOND the ip header to obtain that information. "The definition of a firewall (by definitive process) has nothing to do with layer 7 on the OSI , disregarding the fact that the actual firewall IS software that reaches layer 7. As far as the filtering it performs it remains up to layer 3." this is not true. because you can have a policy that says src any, destinatio specfic host allow http. in addition you can specfiy that if a packet has a specfic cmd.exe or does not follow RFC standards for its protocol it could be configured to drop the packet. This fact alone proves its beyond a layer 3. Even cisco has some application awareness in their PIX and now ASA with the use of 'FIxups'. WIth out being aware of the applicaiton or layer 4~7 information most firewalls would drop passive FTP as it tends to open many other ports other than tcp 21. If you have any doubts call up some of the vendors and ask them what and how they can inspect or read through their admin guides. " The reason cisco didnt implement such idiocy is very sensible. Cisco runs on a specific platform , a specific IOS , a specific handling , and it is all matches very well I might add. " Its funny you mention that since Cisco is pusing is ISR's which are security routers. . The 2811 ISR's have built-in virtual private network (VPN) hardware encryption and acceleration, firewall, IDS/IPS, NAT, QoS support and IP telephony functionality. IT would not be able to do this all in layer 3 which is JUST IP. From Techworld reviews of the ISR " In line with Cisco's tentative recommendation of up to 500 users for the 2811, the test increased users in steps up to this limit. We repeated the test several times, on each occasion enabling another feature, then another, then another – such as Firewall, then VPN, then IPS – and compared performance, across tests, plus the 2811's CPU and memory utilisation each time. We found a gradual degradation in performance as each feature was enabled, but only saw lots of failed connections towards the end of each test run, when the number of virtual users was more than 400. What we did see was that the 2811 CPU utilisation quickly went up to 100 percent with multiple features enabled, though memory usage was relatively low. " " If they added such a filtering process which would be dominating the available processor and memory resources of a router , imagine how it can change things form a simple 8xx to a 6xxx." This is iexactly why some vendors are ASIC based for their high end or put beefy CPU's on x86 or other high end architecture.... Joe Kim On 10/28/06, Mario A. Spinthiras <mario@...> wrote: I definitely do not have the brain cells available to flame people on a mailing list that ironically suggested that i am an idiot by using descriptive words such as a "genius" . Therefore I will reallocate my brain cells into explaining a few things that could clarify this thread and hopefully stop the IT wannabes from talking nonsense and inspire the true believers and IT enthusiasts. LAYER7 : APPLICATION - - - - LAYER 3: NETWORK - - From what I have derived since checkpoint was mentioned and so on , you are referring to a firewall that performs inspection on the payload within the packet in order to judge if it is destined for its required destination derived from the packet header. An example of such a process is checkpoint checking for shellcode in a packet that is destined for port 80 TCP (which is web). That could possibly mean a security hole exploitation since shell code has no business on 80 TCP , thus it drops the packet. NOT LAYER 7 FIREWALL in any way! It simply dissects the packet to retrieve its payload , passes it through a filtering list and identifies the type of traffic and if the type of traffic is allowed to it's destination. This might be done in application layers on the actual firewall but that has nothing to do with the fact that it simply opened up a layer 3 packet , viewed , blocked/allowed , and moved on. The definition of a firewall (by definitive process) has nothing to do with layer 7 on the OSI , disregarding the fact that the actual firewall IS software that reaches layer 7. As far as the filtering it performs it remains up to layer 3. The definition of a firewall (by definitive process) has nothing to do with layer 7 on the OSI , disregarding the fact that the actual firewall IS software that reaches layer 7. As far as the filtering it performs it remains up to layer 3. This isnt my two pense , call it more like a ten pound note. Warm Regards and have a wonderful weekend, Mario A. Spinthiras Netway LTD Nicosia, Cyprus