Firewall Wizards mailing list archives
RE: Intrusion Prevention Firewall
From: "Stiennon,Richard" <richard.stiennon () gartner com>
Date: Sat, 30 Mar 2002 13:37:52 -0500
Whoa guys, I think you are way off base here. Intrusion prevention is distinct from "Firewalling + anti-virus". Firewalls are access control devices that apply a set of rules (filters) based on source, destination, and service (port number). Oh, OK, you can get more granular and have rules based on time of day, authentication, etc. The technology introduced by OneSecure, Tippingpoint, and Intruvert in recent weeks is way different. They have expanded the concept of stateful inspection to help with the through-put issue. Instead of attempting to do a 100% comparison of every signature with every packet they only compare relevant portions of a stream to relevant signatures. When a match is made (or an anomaly detected) the device just drops the session. There is no rule added that blocks access from a source. You could hack away at my web server all day from AOL and I would drop your attempts (those using known hacks) while still allowing all of AOL to see my web pages. Host hardening systems from the likes of Okena, and Entercept are different from Firewalls + AV too. This is a sea change in defensive technologies folks. It breaks away from the more-better-faster IDS camp. -Stiennon -----Original Message----- From: Crispin Cowan [mailto:crispin () wirex com] Sent: Friday, March 29, 2002 3:53 PM To: Marcus J. Ranum Cc: Pieper, Rodney; Stiennon,Richard; 'Gary Flynn'; 'firewall-wizards () nfr com' Subject: Re: [fw-wiz] Intrusion Prevention Firewall Marcus J. Ranum wrote:
I suspect you are referring to "intrusion prevention" - which is a hot new marketing term but basically everything that's being billed as "intrusion prevention" is just firewalling + antivirus with a bit of fresh paint on it.
... and that bugs me, because I've been trying to characterize Immunix-style defenses (StackGuard, FormatGuard, RaceGuard, etc.) as "intrusion rejection", which really means something: applications that abort themselves when they detect that they're being hacked. Now these dorky marketing people have ruined a perfectly good buzz phrase by making it synonymous with "firewalls" :-( Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Prevention Firewall, (continued)
- Re: Intrusion Prevention Firewall Inno Eroraha (Mar 29)
- RE: Intrusion Prevention Firewall Stiennon,Richard (Mar 17)
- FW: Intrusion Prevention Firewall franks (Mar 17)
- Re: FW: Intrusion Prevention Firewall Gary Flynn (Mar 29)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Mar 29)
- RE: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
- Re: Intrusion Prevention Firewall Gary Flynn (Mar 29)
- Re: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
- RE: Intrusion Prevention Firewall Dave Piscitello (Mar 29)
- Re: Intrusion Prevention Firewall Crispin Cowan (Mar 29)
- RE: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
- RE: Intrusion Prevention Firewall Stiennon,Richard (Mar 30)