Firewall Wizards mailing list archives
Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 12 Aug 2002 18:40:57 -0500
On Mon, 2002-08-12 at 18:09, Ryan Russell wrote:
From what I understand about Barnyard (and that I assume others do aswell) is that it will "normalize" packets to some degree, use IDS-style rules, and add blocking.
Ryan, you probably realized by now that you meant Hogwash, not Barnyard. Barnyard is just an 'output plugin enhancer' (it decouples the plugins from Snort. Snort uses a spool file, which Barnyards then reads in and then calls the plugins). Hogwash is the inline IDS. I'm not that familiar with Hogwash, but I don't think it 'normalizes' packets in terms of reshaping them and passing them on. It only makes a decision based on the snort signature set if a packet is to be passed on or dropped. Anyhow... I just want to clarify that for other readers.
One could easily argue that firewalls should
have been able to do the packet normalization {...]
Speaking of normalization, some firewalls do. As I remember, the pf of OpenBSD has a packet scrubbing feature.
I think a more interesting question is: if GIDS is the new "firewall", then why did firewalls running on top end PCs max at 100mbps or so with just a few dozen rules and terribly simply filtering capabilities... while a GIDS with much more interesting filterinag capabilities and a few thousand rules can also do the same? Did PCs just get that much faster?
uhm... no. There is a performance tradeoff. But keep in mind that firewalls have been around longer where Gateway IDS, or Inline IDS, or signature IDS, or whatever you want to call it (just don't call it Intrusion Prevention...please :) is a relative new, and somewhat immature technology. Over time, we will probably see the two merge to the extend that you configure your firewall like 'allow http to my web servers, but drop Nimda probes'. I have no idea what those intrusion-walls wills be called. I like to call them Bob... ;) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Paul D. Robertson (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ryan Russell (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Frank Knobbe (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ryan Russell (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Barney Wolff (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name B. Scott Harroff (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Frank Knobbe (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Iván Arce (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 14)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Mikael Olsson (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 16)