Firewall Wizards mailing list archives

RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: stig.ravdal () digitalpaper com
Date: Wed, 14 Aug 2002 10:05:26 -0400

IMHO It is not really question of is it a firewall or is it something else
(new marketing hype).  It's another device/appliance that can augment your
security perimiter.  And as such it makes sense to distinguish it from let's
say a packet filtering or stateful inspection firewall - but it could just
as well be called a signature or knowledge based firewall.

This "new" generation of firewall or rather novel way of of applying the
Intrusion Detection engine and logic, seems to fit pretty well into the
layered approach to the security perimiter. In a hypothetical security
perimeter (no DMZ/Service network shown), the signature based ("Inline IDS")
may fit somewhere behind the second or third layer(an example):

Layer 1: Border Router (ACLs)
Layer 2: Packet Filter
Layer 3: Stateful Inspection and/or VPN Gateway
Layer 4: "Inline IDS Gateway," Proxies, SMTP Relay/Spamfilters, etc.

From one layer to the next the volume of traffic is reduced which in turn

allows the more intensive processing of the lower layer devices to focus on
their specific tasks.  In many cases one device/appliance will handle more
than one of the layers, but having at least two layers makes sense.  There
are of course a plethora of other ways that the devices could be organized.

Another advantage of using the layered approach is that the "Inline IDS" is
vulnerable to DoS attacks ( - I think: Inline IDS =
"Smart/Intelligent/Dynamic firewall") but the previous layers could
implement a rule set to limit the effect of such an attack.

I don't expect to see any devices that will encompass all these different
segments of the firewall/sccess control/filetering space any time soon, or
at least a product that will do it well (some vendors may try). As Marcus
pointed out you'd have to redesign this product from the bottom up.  An all
encompassing security gateway would be a single point of failure (either
form an attacker or physical failure barring redundancy).

Stig

-----Original Message-----
From: Crispin Cowan [mailto:crispin () wirex com]
Sent: Tuesday, August 13, 2002 2:54 AM
To: Stiennon,Richard
Cc: Firewall Wizards
Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any
Other Name


Stiennon,Richard wrote:

All well and good Crispin.  I agree that devices such as

OneSecure's or

Intruvert's do provide gateway security therfore could be

called firewalls.

However they have NO ability to apply a security policy based on
connections. I can't ask one of these devices to enforce:

From IP address to IP address using FTP, ALLOW.


They also are not configured with multiple ports to provide

for standard

zoning.

So they are firewalls with critical features missing, and 
thus need to 
be composed with more classical firewalls. This kind of 
comparison might 
help consumers decide what they need to buy, and might help product 
vendors discover that their signature firewalls are missing a 
feature or 
two.

These inline-inspection and action engines are doing

something all firewalls

cannot: Re-assembling packets into sessions and comparing to

extensive list

of signatures and dropping sessions.

That's just a new way of doing network access control. It's still 
firewall work.

It may be that signature, protocol, and behavior based

blocking will someday

be in the firewall but they are not there today. Since these

products are

targeted at replacing IDS devices, not firewalls,

"Targeted"? In what sense? NIDS can be deployed configured to 
be highly 
sensitive, with analysts reading the output to decide what to really 
care about.  Signature firewalls had better not be deployed 
that way, or 
a lot of legitimate traffic will get blocked.

it makes sense to call
them something like Intrusion Prevention devices rather than Layer7-8
firewalls or something else.

I submit that it does not make sense to do that. Rather, it confounds 
the market and makes comparisons difficult for product consumers.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: 
http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- <Possible follow-ups>
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name stig . ravdal (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 14)