Firewall Wizards mailing list archives
Re: Firewalls Compared
From: Crispin Cowan <crispin () immunix com>
Date: Wed, 30 Jun 2004 05:22:19 -0700
Eugene Kuznetsov wrote:
On the contrary, I think that "firewall" is exactly the right word for a box that mediates access between networks, regardless of the layer it inspects. In point of fact, the original firewalls (application proxy firewalls) did do level 7 and 8 inspection. The penchant for for firewalls that inspect only up to layer 4 is a relatively recent "innovation" from the mid-90s with the introduction of packet filter firewalls.Hmm, I do not think that "firewall" is the right term for devices that operate at layer 7 or "layer 8". Not on grounds of technical correctness, but of common usage.
For exactly the same education reasons of referring to similar function devices with similar names, I vehemently object to characterizing network intrusion prevention devices of any kind as anything *but* firewalls. They can be "deep inspection firewall" or "layer 8 firewall" or any other kind of "spiffy keen new-improved firewall." Anyone who tries to tell you that a device that mediates between two networks is "not a firewall" is selling something.If a big challenge for making a more secure world is information and education about threats and best practices, the term "firewall" does more harm than good. One man's application firewall isanother woman's application proxy and someone else's packet filter.
It is not that hard to understand or classify. All devices that mediate between networks are firewalls, and to distinguish between the levels of inspection they do you use qualifying terms:
* packet filter firewall: stateless inspection of packets. * stateful packet filter firewall: stateful inspection of packets. * proxy firewall: reconstructs full connection requests to the application layer before passing them on, or not. * deep inspection firewall: synthesizes an approximation of the application-layer semantics of a connection. Strikes me as vaguely analogous to stateful packet inspection, but for higher layers. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls Compared, (continued)
- Re: Firewalls Compared Paul D. Robertson (Jun 22)
- Re: Firewalls Compared Devdas Bhagat (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 23)
- RE: Firewalls Compared Laura Taylor (Jun 26)
- Re: Firewalls Compared ArkanoiD (Jun 28)
- RE: Firewalls Compared Laura Taylor (Jun 28)
- Re: Firewalls Compared Marcus J. Ranum (Jun 28)
- RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Re: Firewalls Compared Crispin Cowan (Jun 30)
- Message not available
- Re: Firewalls Compared ArkanoiD (Jun 29)
- Message not available
- Re: Firewalls Compared Dave Piscitello (Jun 24)
- RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Message not available
- RE: Firewalls Compared Marcus J. Ranum (Jun 30)