Firewall Wizards mailing list archives
Re: Thoughts on the new Cisco ASA 5500 firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 20 May 2005 21:34:48 -0400
Tichomir Kotek wrote:
actually IDS/IPS is handled in separate module, where you can "route" traffic flows for inspection, so at least this do not overload central CPU.
All of the "Deep packet inspection" firewall/switches that I have seen default to "inspection off" and require user configuration to turn it on. Presumably that's because there's a big performance hit when you're no longer doing fast-path processing and change over to "deep" inspection. "Deep Packet Inspection" is complete marketing malarkey. Basically you have a switch with a lame-O "stateful" firewall and a handful of IDS signatures added with the ability to attach a blocking rule when they match. Some of these "deep inspection" devices "know" about dozens - yes, DOZENS - of different attacks. Some of them know how to do minimal application protocol error tracking ("protocol anomaly detection") on as many as 6 whole application protocols. That's not "intrusion prevention" and it's not "deep" anything. It's bogo-security. Customers, of course, lap it up because they are happy to remain ignorant as long as vendors offer them something that looks like a panacea (at least on powerpoint) that has "virtually no performance impact." Well, it's got "virtually no security value" either. One of my clients was looking at one of the "Deep Inspection" firewalls compared to a proxy firewall, and I did a short write-up for them, that's on: http://www.ranum.com/security/computer_security/editorials/deepinspect in case anyone wants a more fleshed out view on why deep inspection is just another fundamentally flawed "default permit" security "feel good" device. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Thoughts on the new Cisco ASA 5500 firewalls Chris Byrd (May 18)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Paul D. Robertson (May 19)
- RE: Thoughts on the new Cisco ASA 5500 firewalls Paul Melson (May 19)
- Re: Thoughts on the new Cisco ASA 5500 firewalls ArkanoiD (May 20)
- Message not available
- Re: Thoughts on the new Cisco ASA 5500 firewalls Chris Byrd (May 19)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Tichomir Kotek (May 20)
- Re: Thoughts on the new Cisco ASA 5500 firewalls ArkanoiD (May 20)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Marcus J. Ranum (May 20)
- Message not available
- Re: Thoughts on the new Cisco ASA 5500 firewalls Marcus J. Ranum (May 21)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Chris Byrd (May 24)
- RE: Thoughts on the new Cisco ASA 5500 firewalls Paul Melson (May 19)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Paul D. Robertson (May 19)