Firewall Wizards mailing list archives
RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: stig.ravdal () digitalpaper com
Date: Wed, 14 Aug 2002 10:05:26 -0400
IMHO It is not really question of is it a firewall or is it something else (new marketing hype). It's another device/appliance that can augment your security perimiter. And as such it makes sense to distinguish it from let's say a packet filtering or stateful inspection firewall - but it could just as well be called a signature or knowledge based firewall. This "new" generation of firewall or rather novel way of of applying the Intrusion Detection engine and logic, seems to fit pretty well into the layered approach to the security perimiter. In a hypothetical security perimeter (no DMZ/Service network shown), the signature based ("Inline IDS") may fit somewhere behind the second or third layer(an example): Layer 1: Border Router (ACLs) Layer 2: Packet Filter Layer 3: Stateful Inspection and/or VPN Gateway Layer 4: "Inline IDS Gateway," Proxies, SMTP Relay/Spamfilters, etc.
From one layer to the next the volume of traffic is reduced which in turn
allows the more intensive processing of the lower layer devices to focus on their specific tasks. In many cases one device/appliance will handle more than one of the layers, but having at least two layers makes sense. There are of course a plethora of other ways that the devices could be organized. Another advantage of using the layered approach is that the "Inline IDS" is vulnerable to DoS attacks ( - I think: Inline IDS = "Smart/Intelligent/Dynamic firewall") but the previous layers could implement a rule set to limit the effect of such an attack. I don't expect to see any devices that will encompass all these different segments of the firewall/sccess control/filetering space any time soon, or at least a product that will do it well (some vendors may try). As Marcus pointed out you'd have to redesign this product from the bottom up. An all encompassing security gateway would be a single point of failure (either form an attacker or physical failure barring redundancy). Stig
-----Original Message----- From: Crispin Cowan [mailto:crispin () wirex com] Sent: Tuesday, August 13, 2002 2:54 AM To: Stiennon,Richard Cc: Firewall Wizards Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name Stiennon,Richard wrote:All well and good Crispin. I agree that devices such asOneSecure's orIntruvert's do provide gateway security therfore could becalled firewalls.However they have NO ability to apply a security policy based on connections. I can't ask one of these devices to enforce:From IP address to IP address using FTP, ALLOW.They also are not configured with multiple ports to providefor standardzoning.So they are firewalls with critical features missing, and thus need to be composed with more classical firewalls. This kind of comparison might help consumers decide what they need to buy, and might help product vendors discover that their signature firewalls are missing a feature or two.These inline-inspection and action engines are doingsomething all firewallscannot: Re-assembling packets into sessions and comparing toextensive listof signatures and dropping sessions.That's just a new way of doing network access control. It's still firewall work.It may be that signature, protocol, and behavior basedblocking will somedaybe in the firewall but they are not there today. Since theseproducts aretargeted at replacing IDS devices, not firewalls,"Targeted"? In what sense? NIDS can be deployed configured to be highly sensitive, with analysts reading the output to decide what to really care about. Signature firewalls had better not be deployed that way, or a lot of legitimate traffic will get blocked.it makes sense to call them something like Intrusion Prevention devices rather than Layer7-8 firewalls or something else.I submit that it does not make sense to do that. Rather, it confounds the market and makes comparisons difficult for product consumers. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- <Possible follow-ups>
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name stig . ravdal (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 14)