Re: Thoughts on the new Cisco ASA 5500 firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Tichomir Kotek wrote:
> actually IDS/IPS is handled in separate module, where you can "route"
> traffic flows for inspection, so at least this do not overload central CPU.

All of the "Deep packet inspection" firewall/switches that I have
seen default to "inspection off" and require user configuration
to turn it on. Presumably that's because there's a big performance
hit when you're no longer doing fast-path processing and change
over to "deep" inspection.

"Deep Packet Inspection" is complete marketing malarkey. Basically
you have a switch with a lame-O "stateful" firewall and a handful of
IDS signatures added with the ability to attach a blocking rule when
they match. Some of these "deep inspection" devices "know" about
dozens - yes, DOZENS - of different attacks. Some of them know
how to do minimal application protocol error tracking ("protocol
anomaly detection") on as many as 6 whole application protocols.
That's not "intrusion prevention" and it's not "deep" anything. It's
bogo-security. Customers, of course, lap it up because they are
happy to remain ignorant as long as vendors offer them something
that looks like a panacea (at least on powerpoint) that has "virtually
no performance impact." Well, it's got "virtually no security value"
either.

One of my clients was looking at one of the "Deep Inspection"
firewalls compared to a proxy firewall, and I did a short write-up
for them, that's on:
http://www.ranum.com/security/computer_security/editorials/deepinspect
in case anyone wants a more fleshed out view on why deep
inspection is just another fundamentally flawed "default permit"
security "feel good" device.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards