Firewall Wizards mailing list archives

Re: Firewalls Compared

From: Crispin Cowan <crispin () immunix com>
Date: Wed, 30 Jun 2004 05:22:19 -0700

Eugene Kuznetsov wrote:

Hmm, I do not think that "firewall" is the right term for devices that
operate at layer 7 or "layer 8". Not on grounds of technical correctness,
but of common usage.

On the contrary, I think that "firewall" is exactly the right word for abox that mediates access between networks, regardless of the layer itinspects. In point of fact, the original firewalls (application proxyfirewalls) did do level 7 and 8 inspection. The penchant for forfirewalls that inspect only up to layer 4 is a relatively recent"innovation" from the mid-90s with the introduction of packet filterfirewalls.

If a big challenge for making a more secure world is
information and education about threats and best practices, the term
"firewall" does more harm than good. One man's application firewall is

another woman's application proxy and someone else's packet filter.

For exactly the same education reasons of referring to similar functiondevices with similar names, I vehemently object to characterizingnetwork intrusion prevention devices of any kind as anything *but*firewalls. They can be "deep inspection firewall" or "layer 8 firewall"or any other kind of "spiffy keen new-improved firewall." Anyone whotries to tell you that a device that mediates between two networks is"not a firewall" is selling something.

It is not that hard to understand or classify. All devices that mediatebetween networks are firewalls, and to distinguish between the levels ofinspection they do you use qualifying terms:


   * packet filter firewall: stateless inspection of packets.
   * stateful packet filter firewall: stateful inspection of packets.
   * proxy firewall: reconstructs full connection requests to the
     application layer before passing them on, or not.
   * deep inspection firewall: synthesizes an approximation of the
     application-layer semantics of a connection. Strikes me as vaguely
     analogous to stateful packet inspection, but for higher layers.

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls Compared, (continued)
- - - Re: Firewalls Compared Paul D. Robertson (Jun 22)
    - Re: Firewalls Compared Devdas Bhagat (Jun 22)
    - Re: Firewalls Compared Paul D. Robertson (Jun 23)
    - RE: Firewalls Compared Laura Taylor (Jun 26)
    - Re: Firewalls Compared ArkanoiD (Jun 28)
    - RE: Firewalls Compared Laura Taylor (Jun 28)
    - Re: Firewalls Compared Marcus J. Ranum (Jun 28)
    - RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
    - RE: Firewalls Compared Ben Nagy (Jun 30)
    - Re: Firewalls Compared Devdas Bhagat (Jun 30)
    - Re: Firewalls Compared Crispin Cowan (Jun 30)
    - Message not available
    - Re: Firewalls Compared ArkanoiD (Jun 29)
    - Message not available
    - Re: Firewalls Compared Dave Piscitello (Jun 24)
- Re: Firewalls Compared Norman Zhang (Jun 21)
  - RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Stiennon,Richard (Jun 29)
  - RE: Firewalls Compared Ben Nagy (Jun 30)
  - Re: Firewalls Compared Devdas Bhagat (Jun 30)
  - Message not available
    - RE: Firewalls Compared Marcus J. Ranum (Jun 30)
  - RE: Firewalls Compared Jim Seymour (Jun 30)