In some mail from Andrew Molitor, sie said:
> What would actually be USEFUL would be application gateways that
> parse the stream completely, and do no-write-down, no-read-up checking (err,
> or whatever the right directions are) for reasonable definitions of Up and
> Down. A good firewall would run two or more separately developed engines in
> parallel, and use tell-me-N-times to be sure. A relatively simple way to do
> it would be to use a Unix personality on top of Mach or QNX, and run the app
> in that captive environment, and watch what it does to the input data, faking
> up environment as needed. This has tremendous sex appeal, I think, but your
> time-to-market is longer. You actually have to do something to support
> a new protocol, instead of merrily plugboarding it through and yelling
> 'Hell yeah! We support GrookLink!'
> What this lets you do is, instead of grubbing through the stream
> and guessing whether it's icky, and trying to contain any detonations, is
> simulate what the data is actually going to do when the real app gets it,
> and see if it's going to do anything bad. This handles Java elegantly,
> as well as the favorite sendmail-o-the-month bugs. Note that you cannot
> handle Java with anything less, really, it's Turing Mumble Mumble Thingy
I think the application gateway you describe above is more correct for
handling java and other _transaction_ based protocols such as HTTP and
e-mail. I'm not sure that FTP is well suited by this model...
I don't see this particular paradigm suiting character streams such as
TELNET or rlogin, for example, very well; they require continual flow
of data rather than store-process-forward.
Another problem for protocols such as rlogin is that it can't correctly
(100% of the time) immitate the trust model used unless you give it a
preconception of what are good and bad relationships between internal
and external entities. And that's not counting on it changing, over time.
The filters implied by using a virtual machine are far from trivial,
requiring an idea of what correct output (or safe output) is, given that
you can immitate all possible inputs, and possible combinations thereof
which can have adverse effect.