Packet Filtering Limitations
It has often been argued that filters are not capable of making contentbased
decisions, which leaves the door open for many data-driven
attacks. This is probably not a valid criticism. The whole point of
packet filtering is that it provides fast and reliable checking based on
packet header information, not on packet content.
If there is a desire for content-based decisions, then one should do so at
a higher layer in the network. On the other hand, it would be a huge
improvement if, in the future, all header fields would be made available
as packet filtering criteria. As yet, this is not the case.
No comments:
Post a Comment