Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: Crispin Cowan <crispin () wirex com>
Date: Mon, 12 Aug 2002 23:54:22 -0700
Ryan Russell wrote:


So, if I may summarize your question: "Don't buzzwords suck, and isn't
this a firewall"?  To which I respond: define firewall.


(according to me) firewall, n.: A network access control device.
A firewall decides whether traffic on one side of it may pass to the other side, and in what form. 


From what I understand about Barnyard (and that I assume others do as

well) is that it will "normalize" packets to some degree, use IDS-style
rules, and add blocking.  One could easily argue that firewalls should
have been able to do the packet normalization and much more granular rules
for years.  I'm aware of very few that do.
Huh? Application proxy firewalls have ALWAYS done that. It is only the relatively recent form of packet filter firewalls that let traffic through without normalizing it. 


 Most people can only point to
a box of parts or manuals and CDs, and call that a "firewall".
Here's a nice pile of stuff that does traffic normalizing http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=12764279&EID=0 

(I have no affiliation with Symantec)


 Based on
what those do, and what Barnyard does, they are not quite the same beast.
If you want to use the broad, conceptual definition of "firewall", then
they are firewalls.
If you use the definition that is broad enough to inculde the original firewall design, and the newcomer upstarts like Checkpoint :) that amounts to "network access control device" then Hogwash certainly is a firewall. The succinct distinction is that inline IDS's (signature firewalls) are using the default-allow policy instead of the default-deny policy. 


I think a more interesting question is: if GIDS is the new "firewall",
then why did firewalls running on top end PCs max at 100mbps or so with
just a few dozen rules and terribly simply filtering capabilities... while
a GIDS with much more interesting filterinag capabilities and a few
thousand rules can also do the same?  Did PCs just get that much faster?
I agree with the comment that it's because people tolerate NIDS failing open, where as they would not tolerate that from a classical firewall. I sure HOPE that signature firewalls don't fail open. 


(I think part of the answer has to do with the fact that IDS' are much
less concerned with various groups of IP addresses, like inside, outside,
DMZ, web_servers, etc...)
I find it difficult to believe that a device can look up a signature faster than it can look up an IP address. 

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: