Firewall Wizards mailing list archives
Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: Crispin Cowan <crispin () wirex com>
Date: Mon, 12 Aug 2002 23:54:22 -0700
Ryan Russell wrote:
So, if I may summarize your question: "Don't buzzwords suck, and isn't this a firewall"? To which I respond: define firewall.
(according to me) firewall, n.: A network access control device.A firewall decides whether traffic on one side of it may pass to the other side, and in what form.
Huh? Application proxy firewalls have ALWAYS done that. It is only the relatively recent form of packet filter firewalls that let traffic through without normalizing it.From what I understand about Barnyard (and that I assume others do aswell) is that it will "normalize" packets to some degree, use IDS-style rules, and add blocking. One could easily argue that firewalls should have been able to do the packet normalization and much more granular rules for years. I'm aware of very few that do.
Here's a nice pile of stuff that does traffic normalizing http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=12764279&EID=0Most people can only point to a box of parts or manuals and CDs, and call that a "firewall".
(I have no affiliation with Symantec)
If you use the definition that is broad enough to inculde the original firewall design, and the newcomer upstarts like Checkpoint :) that amounts to "network access control device" then Hogwash certainly is a firewall. The succinct distinction is that inline IDS's (signature firewalls) are using the default-allow policy instead of the default-deny policy.Based on what those do, and what Barnyard does, they are not quite the same beast. If you want to use the broad, conceptual definition of "firewall", then they are firewalls.
I agree with the comment that it's because people tolerate NIDS failing open, where as they would not tolerate that from a classical firewall. I sure HOPE that signature firewalls don't fail open.I think a more interesting question is: if GIDS is the new "firewall", then why did firewalls running on top end PCs max at 100mbps or so with just a few dozen rules and terribly simply filtering capabilities... while a GIDS with much more interesting filterinag capabilities and a few thousand rules can also do the same? Did PCs just get that much faster?
I find it difficult to believe that a device can look up a signature faster than it can look up an IP address.(I think part of the answer has to do with the fact that IDS' are much less concerned with various groups of IP addresses, like inside, outside, DMZ, web_servers, etc...)
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Paul D. Robertson (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ryan Russell (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Frank Knobbe (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ryan Russell (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Barney Wolff (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name B. Scott Harroff (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Frank Knobbe (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Iván Arce (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 14)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Mikael Olsson (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 16)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 17)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 17)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 17)