Let me emphasize what has been said here before, firewalls
are more than just 'protect against sendmail bugs', they provide
implementations of policy.
Firewalls have evolved into what might be viewed as a the first,
crude, approximation to policy based routing. Eventually, we hope that
policy will be implemented in a more, hmm, integrated fashion. Right now,
you're forced to sort of glue it on top of IP in this sort of sideways
fashion. What the current generation of firewall does really gracefully is
provide a central point of administration. What they don't do is provide
high-level, seamless, implementations. It's currently all very ad hoc.
(my fav pet peeve is that access control is by port number, which
has only a loose correlation to service -- which is really what you
want to control! IPX, anyone?)
It might be worth looking at some of the work that's been done
on policy based routing. I'm not certain that pushing policy into
the routing layer is the right approach, but it might be.
In any case, I expect that no matter what the boxes that implement
policy in future look like, they'll probably be called firewalls.
Andrew Molitor
P.S. please don't bother telling me how policy == censorship or anything,
we don't want to force Brent back in the moderator's seat, do we?
|
|
