[61157] in North American Network Operators' Group
Layer 5+ inspection at the border?
daemon@ATHENA.MIT.EDU (Rick Ernst)
Mon Aug 25 12:54:38 2003
Date: Mon, 25 Aug 2003 09:53:41 -0700 (PDT)
From: Rick Ernst <ernst@easystreet.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I'm looking for a beast that is roughly a combination of Cisco NBAR and
Foundry URL inspection.
NBAR worked pretty well for CodeRed, but I'd rather have a dedicated device
rather than overloading a router with non-routing functions. I haven't used
Foundry's URL inspection, but it looks reasonable, too.
I would, however, like something that can do generic Layer 5+
inspection/alteration so things such as SMTP headers can also be inspected and
processed/blocked/altered.
I'd prefer a switching device that can replace the switches between my border
and core, but allow transparent manipulation of the packets, preferably at
wire-speed.
Any suggestions? The idea is to have a central location that can watch for
and block 'bad payload'. It looks like F5 may have a solution, but I'd like
comments and experiences from those that have deployed such a device.
Thanks,
Rick
