Firewall Wizards mailing list archives

RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Thu, 15 Aug 2002 10:21:34 +1000

-----Original Message-----
From: Mikael Olsson [mailto:mikael.olsson () clavister com]
"Marcus J. Ranum" wrote:


input:
        if we've been told to encrypt it to someplace else {
        [...]
        if it's permitted {
        [...]
        if it's denied {
        [...]


Wait, let me summarize that for you:

      while(manageable_and_secure(code_complexity)) {
              add_more_code();
      }

      add_more_code();
      add_more_code();
      add_more_code();

      release^Wescape(leaving_bloody_trail_of_designers_and_qa_people);

;)


On the contrary, this flow allows significant amount of logical and/or
physical separation. 
Using this model, it is very easy to seperate VPN processing, Packet ACLs,
and Honeypot functions (separation of IDS  is slightly more difficult, but
can be acheived as well....)

Poorly implemented, this model would llow for megalithic, bloated code, with
far too much occuring on one system. This would also lead to performance
issues. :-(

Regards,
Crispin Harris
Senior Security Consultant (Sydney)
DeMorgan Information Security Systems 
Toll Free: 1800-DEMORG (33 66 74)
Office: 02-9929-0377 Fax: 02-9499 4885

----------------------------------------------------

 This correspondence is for the named person's use only.  It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission.  If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender.  You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------

Current thread:

Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- <Possible follow-ups>
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name stig . ravdal (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 14)