Firewall Wizards mailing list archives

Re: Time for a new FWTK?

From: "Ellis Luk" <e_luk () hotmail com>
Date: Thu, 27 Nov 1997 13:51:09 PST

Marcus Ranum wrote:

........................... Because the current
generation of firewalls is at the end of its intellectual
lifespan -- even their designers don't know where to take
them next (except better U/Is and VPNs). The proxy firewalls
are all adding filtering and the filtering firewalls are all adding
proxies.


Your statement seems very true to me. There is really not too many
"new" things happening in terms of firewall technology.
But on the other hand, there is a FAQ from FW customers which
is still not addressed by FW vendor yet.
They always asked "How do I know if someone break
into my firewall ?"
The firewall log will tell me that someone _attempted_ to
break into my firewall (Eg. SATAN probe, mail with "|sh" in the header).
But if someone use a buffer overflow bug from a proxy to get
into my network, the firewall software probably would not send
an alert to notify me. Otherwise, the FW vendor would already
patch up the bug. 
Someone try to solve/minimise this problem by chaining 2 different 
firewalls in series (each running on different platforms),
and hope that a bug found in one firewall would not find its way
in the second firewall.
Some companies try to shift this problem to others by out-sourcing
their firewall management to consultants. (According to our marketing,
it is a growing business in Australia.)

Nevertheless, I think a firewall and an IDS would be a good 
solution to this. Firewall is served as an "active" watchdog and 
IDS served as a "passive" one.  
But how intelligent can the IDS be ?? As far as I know, it
is still an active research topic with only a few products on
the market. If more FW vendors will channel their funding to
IDS, it will be good. (I hope that the Haystack takeover by TIS would
spark some chain reaction :-)

......... I believe (and the market will prove it if I am right)
that the future will contain some kind of box that does
firewalling-type access control, traffic analysis (what NFR
does), and intrusion detection (rules applied atop traffic
analysis). This all remains to be seen...

Based on my limited customer contact, your predict  seems on 
the right track to solve their problem.


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

RE: Time for a new FWTK? Stout, William (Nov 26)
- <Possible follow-ups>
- RE: Time for a new FWTK? Bret Watson (Nov 26)
  - RE: Time for a new FWTK? Craig Brozefsky (Nov 27)
    - Re: Time for a new FWTK? Bennett Todd (Nov 28)
    - Re: Time for a new FWTK? Craig Brozefsky (Nov 28)
    - Re: Time for a new FWTK? Marcus J. Ranum (Nov 28)
    - New firewall paradigms, anyone ? Darren Reed (Nov 28)
    - Re: New firewall paradigms, anyone ? Marcus J. Ranum (Nov 28)
    - RE: Time for a new FWTK? Bret Watson (Nov 28)
    - RE: Time for a new FWTK? Marcus J. Ranum (Nov 28)
- Re: Time for a new FWTK? Ellis Luk (Nov 27)
- Re: Time for a new FWTK? Bennett Todd (Nov 28)
  - Re: Time for a new FWTK? Mike Shaver (Nov 29)