Firewall Wizards mailing list archives
Re: Time for a new FWTK?
From: "Ellis Luk" <e_luk () hotmail com>
Date: Thu, 27 Nov 1997 13:51:09 PST
Marcus Ranum wrote:
........................... Because the current generation of firewalls is at the end of its intellectual lifespan -- even their designers don't know where to take them next (except better U/Is and VPNs). The proxy firewalls are all adding filtering and the filtering firewalls are all adding proxies.
Your statement seems very true to me. There is really not too many "new" things happening in terms of firewall technology. But on the other hand, there is a FAQ from FW customers which is still not addressed by FW vendor yet. They always asked "How do I know if someone break into my firewall ?" The firewall log will tell me that someone _attempted_ to break into my firewall (Eg. SATAN probe, mail with "|sh" in the header). But if someone use a buffer overflow bug from a proxy to get into my network, the firewall software probably would not send an alert to notify me. Otherwise, the FW vendor would already patch up the bug. Someone try to solve/minimise this problem by chaining 2 different firewalls in series (each running on different platforms), and hope that a bug found in one firewall would not find its way in the second firewall. Some companies try to shift this problem to others by out-sourcing their firewall management to consultants. (According to our marketing, it is a growing business in Australia.) Nevertheless, I think a firewall and an IDS would be a good solution to this. Firewall is served as an "active" watchdog and IDS served as a "passive" one. But how intelligent can the IDS be ?? As far as I know, it is still an active research topic with only a few products on the market. If more FW vendors will channel their funding to IDS, it will be good. (I hope that the Haystack takeover by TIS would spark some chain reaction :-)
......... I believe (and the market will prove it if I am right) that the future will contain some kind of box that does firewalling-type access control, traffic analysis (what NFR does), and intrusion detection (rules applied atop traffic analysis). This all remains to be seen...
Based on my limited customer contact, your predict seems on the right track to solve their problem. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- RE: Time for a new FWTK? Stout, William (Nov 26)
- <Possible follow-ups>
- RE: Time for a new FWTK? Bret Watson (Nov 26)
- RE: Time for a new FWTK? Craig Brozefsky (Nov 27)
- Re: Time for a new FWTK? Bennett Todd (Nov 28)
- Re: Time for a new FWTK? Craig Brozefsky (Nov 28)
- Re: Time for a new FWTK? Marcus J. Ranum (Nov 28)
- New firewall paradigms, anyone ? Darren Reed (Nov 28)
- Re: New firewall paradigms, anyone ? Marcus J. Ranum (Nov 28)
- RE: Time for a new FWTK? Craig Brozefsky (Nov 27)
- RE: Time for a new FWTK? Bret Watson (Nov 28)
- RE: Time for a new FWTK? Marcus J. Ranum (Nov 28)
- Re: Time for a new FWTK? Mike Shaver (Nov 29)