Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrusion Prevention Firewall

From: "Stiennon,Richard" <richard.stiennon () gartner com>
Date: Sat, 30 Mar 2002 13:37:52 -0500
Whoa guys, I think you are way off base here. 

Intrusion prevention is distinct from "Firewalling + anti-virus". Firewalls
are access control devices that apply a set of rules (filters) based on
source, destination, and service (port number). Oh, OK, you can get more
granular and have rules based on time of day, authentication, etc. 

The technology introduced by OneSecure, Tippingpoint, and Intruvert in
recent weeks is way different. They have expanded the concept of stateful
inspection to help with the through-put issue. Instead of attempting to do a
100% comparison of every signature with every packet they only compare
relevant portions of a stream to relevant signatures. 

When a match is made (or an anomaly detected) the device just drops the
session. There is no rule added that blocks access from a source. You could
hack away at my web server all day from AOL and I would drop your attempts
(those using known hacks) while still allowing all of AOL to see my web
pages. 

Host hardening systems from the likes of Okena, and Entercept are different
from Firewalls + AV too. 


This is a sea change in defensive technologies folks. It breaks away from
the more-better-faster IDS camp. 

-Stiennon


-----Original Message-----
From: Crispin Cowan [mailto:crispin () wirex com]
Sent: Friday, March 29, 2002 3:53 PM
To: Marcus J. Ranum
Cc: Pieper, Rodney; Stiennon,Richard; 'Gary Flynn';
'firewall-wizards () nfr com'
Subject: Re: [fw-wiz] Intrusion Prevention Firewall


Marcus J. Ranum wrote:


I suspect you are referring to "intrusion prevention" - which is a
hot new marketing term but basically everything that's being billed
as "intrusion prevention" is just firewalling + antivirus with
a bit of fresh paint on it.


... and that bugs me, because I've been trying to characterize 
Immunix-style defenses (StackGuard, FormatGuard, RaceGuard, etc.) as 
"intrusion rejection", which really means something: applications that 
abort themselves when they detect that they're being hacked. Now these 
dorky marketing people have ruined a perfectly good buzz phrase by 
making it synonymous with "firewalls" :-(

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: