Firewall Wizards mailing list archives

Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: Crispin Cowan <crispin () wirex com>
Date: Mon, 12 Aug 2002 23:54:05 -0700

Stiennon,Richard wrote:

All well and good Crispin.  I agree that devices such as OneSecure's or
Intruvert's do provide gateway security therfore could be called firewalls.
However they have NO ability to apply a security policy based on
connections. I can't ask one of these devices to enforce:

From IP address to IP address using FTP, ALLOW.


They also are not configured with multiple ports to provide for standard
zoning.

So they are firewalls with critical features missing, and thus need tobe composed with more classical firewalls. This kind of comparison mighthelp consumers decide what they need to buy, and might help productvendors discover that their signature firewalls are missing a feature ortwo.

These inline-inspection and action engines are doing something all firewalls
cannot: Re-assembling packets into sessions and comparing to extensive list

of signatures and dropping sessions.

That's just a new way of doing network access control. It's stillfirewall work.

It may be that signature, protocol, and behavior based blocking will someday
be in the firewall but they are not there today. Since these products are
targeted at replacing IDS devices, not firewalls,

"Targeted"? In what sense? NIDS can be deployed configured to be highlysensitive, with analysts reading the output to decide what to reallycare about. Signature firewalls had better not be deployed that way, ora lot of legitimate traffic will get blocked.

it makes sense to call
them something like Intrusion Prevention devices rather than Layer7-8
firewalls or something else.

I submit that it does not make sense to do that. Rather, it confoundsthe market and makes comparisons difficult for product consumers.


Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- <Possible follow-ups>
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name stig . ravdal (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 14)