Firewall Wizards mailing list archives
Re: Firewall Primitives
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 06 Nov 2002 16:31:50 -0500
Devdas Bhagat wrote:
IMHO, most organizations should not care about packet filtering firewalls dropping packets on the edge in accordance with policy.
That's certainly not your policy decision to make for any network but your own. You're also implicitly assuming that the firewall is a boundary-only device - which is not (or shouldn't be) the case with all firewalls. Additionally, the organization may wish to keep data about number and type of disallowed connections. It has always struck me as strange that many organizations deny traffic and don't log the denies - but spend lots of money on IDS.
The only place where you want to collect information is a honeypot, which is a different kettle of fish.
I want to collect information _everywhere_ - don't assume where I do or don't want to collect information! :) Besides, the presence of a firewall may make it IMPOSSIBLE to collect some of the info I want. That's the whole problem. The segregation between IDS/Firewalls/Honepots/VPN/AV is all a figment of your imagination!
doing app-level processing and signature checking against the incoming (or optionally outgoing) stream to check for misuse orThis would be a matter for an application layer gateway. I don't know about others, but I certainly count application layer gateways/proxies in my firewall architecture.
Gee, I seem to remember saying something like that, myself, once. ;)
<repeat rant> Older systems were not fast enough to check all network traffic for malicious behaviour. Modern systems are fast enough to do protocol validation for most speeds </repeat rant>
Older systems _were_ perfectly capable of doing checks for malicious behavior. A few of them did, even the first proxy firewalls. The reason firewalls don't do exhaustive checks has more to do with market dynamics and time-to-market than it does with performance issues in doing fast checks. Simply put: most customers would rather buy something that says "gigabit" on the marketing glossies than something that says "freakin' intensely secure" mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Primitives Cat Okita (Nov 01)
- Message not available
- Re: Firewall Primitives Marcus J. Ranum (Nov 04)
- Re: Firewall Primitives George Capehart (Nov 04)
- Re: Firewall Primitives Victoria of Borg (Nov 05)
- Re: Firewall Primitives Magosányi Árpád (Nov 05)
- Re: Firewall Primitives Crispin Cowan (Nov 05)
- Re: Firewall Primitives George Capehart (Nov 05)
- Re: Firewall Primitives Crispin Cowan (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 07)
- Re: Firewall Primitives Adam Shostack (Nov 09)
- BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Marcus J. Ranum (Nov 04)
- Re: Firewall Primitives Mikael Olsson (Nov 09)
- Re: Firewall Primitives Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Christopher Hicks (Nov 10)
- Re: Firewall Primitives Predrag Zivic (Nov 10)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)
- Message not available
- Re: Firewall Primitives Cat Okita (Nov 11)
- <Possible follow-ups>
- Re: Firewall Primitives Chris Calabrese (Nov 05)