Firewall Wizards mailing list archives
RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 17 Aug 2002 15:37:55 -0400
remember when we only had Proxies (application level gateways and regular once) and packet filters. Than other concepts came along such as "dynamic filtering" and "stateful inspection".
"Stateful Inspection" and "Dynamic Filtering" are crap terms that marketing idiots made up for what are fundamentally just more sophisticated packet filtering and proxying implementations. They don't really mean anything. But that's what marketing idiots do for a living, so it's inevitable. I think the whole "is stateful inspection really something new?" argument has been done to death over and over but I'm prepared to do it again. Though if you look back at the firewalls mailing list archives you'll find that other people have done it better and with more patience than I could. ;)
We wish the firewall to understand the protocol, to analyze at least some of the stuff traversing the firewall and to be able to drop packet on issues other than source and destination port
Any _DECENT_ firewall should/already function on more complex rules than just source/destination port. But that's just a feature-set. If you look at the core features of firewalls they have changed relatively little. The main changes have been to make them faster (and in many cases more permissive of traffic that they probably should be mediating more closely) and other than that they're the same as they were 14 years ago.
Look for Sidewinder and CheckPoint FW-1 NG (cool stuff there).
I haven't looked super closely at CheckPoint's NG though I sat through a few briefings and demos (about 8 hours worth...) - as far as I can see there's nothing new there in _firewalling_ technology. Though CheckPoint appears to have caught on to the idea that firewalls are an _enterprise_ technology and have shored up their products' manifest weaknesses regarding distributed maintenance and management. That's not innovation; that's repairing an oversight. :) [For the record: they did a better job with distributed management than any firewall I ever wrote, I must say. Back when I was building firewalls I felt that distributed centralized management was a form of braindamage I wanted to avoid. I was wrong...]
Hogwash is cool, do not forget it is open source and developed on the spare time of Jed. At the end of the day it works well and provides exactly what Jed tells you it provides.
All software is inherently victim, or subject, to the time-whims of whatever management structure (or lack thereof) sits atop it... I could show you the scars I got while I was learning this lesson. ;)
Damn, we even did not get to the software vs. hardware issue and the lovely fake tests on IDSs and firewalls (just a hint for MJR :P )
What, you mean rigging benchmarks? Surely nobody would do such an unethical thing! They'd have no customers left if they did it, right?!? <sigh> ;) mjr. --- Marcus J. Ranum - Computer and communications Security Expertise mjr () ranum com (http://www.ranum.com) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name, (continued)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ryan Russell (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Barney Wolff (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name B. Scott Harroff (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Iván Arce (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 14)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Mikael Olsson (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 16)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 17)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 17)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 17)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)