Re: Firewall Primitives

[Crispin Cowan <crispin () wirex com>]

George Capehart wrote:

> Crispin Cowan wrote:
>  
>
> > George Capehart wrote:
> >
> > > This is interesting.  So, a firewall really should/could/might be a
> > > multi-layer, multi-protocol switch . . .
> > >      
> > But of course. That's all firewalls ever were, but marketing hates it
> > when people discover that :)
> >    
> Doh!  OK, I'll buy that.  I'd really (in my own way) seen firewalls as being
> more like band-pass filters.  But that's probably another discussion.  When
> I wrote "switch" I was really thinking "router."
>
> :/g/switch/s//router/g
As I was taught, "switch" ::= "level 3" and "router" ::= "level 4". 
Firewalls are "whatever freakin' level you like" (see my previous rant 
on "intrusion prevention is really firewalls in drag" 
<http://lists.insecure.org/firewall-wizards/2002/Aug/0137.html>) so it 
amounts to the same thing.

> It really did seem that he was suggesting that the firewall actually
> actively route, as opposed to "look at the packet and drop it if it doesn't
> like it . . ." ;-]
And from a security or functionality perspective, why would we care 
about the difference?

>  So, I really meant to use the term router.  That is a
> step beyond the "throw it in the bit bucket if I don't like it" function
The "routing" function I had in mind was for "service networks", i.e. 
DMZ's as served off a firewall with 3 NICs.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                            Just say ".Nyet"

Attachment: _bin
Description: