RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name

["Marcus J. Ranum" <mjr () ranum com>]

> remember when we only had Proxies (application level gateways and
> regular once) and packet filters. Than other concepts came along such as
> "dynamic filtering" and "stateful inspection".

"Stateful Inspection" and "Dynamic Filtering" are crap terms that
marketing idiots made up for what are fundamentally just more
sophisticated packet filtering and proxying implementations. They
don't really mean anything. But that's what marketing idiots do
for a living, so it's inevitable.

I think the whole "is stateful inspection really something new?" argument
has been done to death over and over but I'm prepared to do it again.
Though if you look back at the firewalls mailing list archives you'll find
that other people have done it better and with more patience than I could. ;)

> We wish the firewall to understand the protocol, to analyze at least
> some of the stuff traversing the firewall and to be able to drop packet
> on issues other than source and destination port

Any _DECENT_ firewall should/already function on more complex
rules than just source/destination port. But that's just a feature-set.
If you look at the core features of firewalls they have changed
relatively little. The main changes have been to make them faster
(and in many cases more permissive of traffic that they probably
should be mediating more closely) and other than that they're
the same as they were 14 years ago.

> Look for Sidewinder and CheckPoint FW-1 NG (cool stuff there).

I haven't looked super closely at CheckPoint's NG though I sat
through a few briefings and demos (about 8 hours worth...) - as far
as I can see there's nothing new there in _firewalling_ technology.
Though CheckPoint appears to have caught on to the idea that
firewalls are an _enterprise_ technology and have shored up their
products' manifest weaknesses regarding distributed maintenance
and management. That's not innovation; that's repairing an oversight. :)
[For the record: they did a better job with distributed management
than any firewall I ever wrote, I must say. Back when I was building
firewalls I felt that distributed centralized management was a form
of braindamage I wanted to avoid. I was wrong...]

> Hogwash is cool, do not forget it is open source and developed on the
> spare time of Jed. At the end of the day it works well and provides
> exactly what Jed tells you it provides.

All software is inherently victim, or subject, to the time-whims of
whatever management structure (or lack thereof) sits atop it...
I could show you the scars I got while I was learning this lesson. ;)

> Damn, we even did not get to the software vs. hardware issue and the
> lovely fake tests on IDSs and firewalls (just a hint for MJR :P )

What, you mean rigging benchmarks? Surely nobody would do such
an unethical thing! They'd have no customers left if they did it, right?!?

<sigh> ;)
mjr.
---
Marcus J. Ranum - Computer and communications Security Expertise
mjr () ranum com  (http://www.ranum.com)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards