RE: Firewalls Compared

["Eugene Kuznetsov" <eugene () datapower com>]

> With the increasing focus on application layer attacks, the day
> of packet-filters even being termed "firewalls" is pretty much over.
> Packet filters were barely firewalls to begin with, but today, the
> fight's mostly up in Layer 7 where they have no value.

Hmm, I do not think that "firewall" is the right term for devices that
operate at layer 7 or "layer 8". Not on grounds of technical correctness,
but of common usage. If a big challenge for making a more secure world is
information and education about threats and best practices, the term
"firewall" does more harm than good. One man's application firewall is
another woman's application proxy and someone else's packet filter. 

In my experience, what most normal people mean by "firewall" is a box that
does not do any TCP termination or deep inspection, but instead simply
allows and disallows connections at certain IP ports. That box may be
capable of doing more, but usually that capability is not being used. 


\\ Eugene Kuznetsov, Chairman & CTO  : eugene () datapower com 
\\ DataPower Technology, Inc.        : Web Services security 
\\ http://www.datapower.com          : XML-aware networks   


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards