Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name

[Crispin Cowan <crispin () wirex com>]

M. Dodge Mumford wrote:

> On Mon, 12 Aug 2002, Crispin Cowan wrote:
>  
>
> > Is anyone besides me sick to death of hearing about "intrusion
> > prevention" and "gateway intrusion detection" technologies?
> >    
> Occasionally I grow weary of many labels, whether they're applied to
> security devices, styles of painting, or music. Then I remember that people
> who aren't experts at things need to put like things together.
Hence my complaint. Things that are really signature firewalls are being 
marketed as "inline-IDS" or "intrusion prevention", making it relatively 
difficult for consumers to notice that they're really buying a different 
kind of firewall.

> When they
> realize they need or want a thing, they look at the different options
> available. Creating new categories (or market segments) can help new
> technologies get off the ground. Sure it creates confusion at first, but in
> that confusion you can get your foot in the door and make your product
> better.
That's one possibility, but I don't often see technical improvement 
coming out of market confusion. Rather the converse; the confusion is 
used to avoid critical comparisons, leading to weaker products getting 
away with stuff because they are not compared to their true competitors. 
This applies both ways between signature firewalls and classical firewalls.

> As far as I can tell, the main reason most firewalls haven't advanced
> particularly is because a very narrow definition of what a firewall must be
> has been commonly accepted. It appears the definition of what a firewall
> must be is something along the lines of "A gateway that filters network
> traffic based on static rules about which hosts may communicate using
> specific protocols and specific ports". If that is accepted as a definition
> for a firewall,
It is not accepted: it overtly excludes all of the firewalls built prior 
to approximately 1993 (others would know better than I when packet 
filtering was introduced to the firewall business).

> I find it surprising that there aren't (more? any?) gateway devices that
> will defragment traffic, create new TCP ISN's (preferably using an onboard
> random number generator), check TCP sequences, implement "firewall-like
> rules" <cough>, and make it easy to do higher-level blocking. Higher-level
> to me means things like blocking specific websites and stripping unknown
> tags from HTML; blocking email messages that are known spam or contain MS
> executables; making sure that idle SSH sessions timeout; unmangling DNS
> requests before resending them.
/me confused. I thought there were tons of such firewalls. Some are 
marketed as application proxy firewalls, while others are marketed as 
"content filters" (another way to say "firewall").

> Attacks are happening at (nearly) all the layers and firewalls appear to be
> happily ignoring them. That's what is letting these "new technologies"
> happen.
Only if you synthetically define "firewalls" to be a subset of firewalls :)

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards