Re: Firewalls that generate new packets..

["Marcus J. Ranum" <mjr () ranum com>]

Marcin Antkiewicz wrote:
> I am not the authority on the subject but, if I am correct, the first 
> firewalls did not even have packet filters - traffic went through a proxy, 
> and protocols that were not supported/proxy friendly were transfered via 
> some kind of authenticated IP replay thingey (or was it decnet to IP 
> bridge?)

It's not sure what the "first" firewalls were, because there were a
fair number of things in play around the mid/late 80's called
"firewalls."

Dave Presotto's firewall at Bell Labs involved a mix
of proxies and circuit relays. Brian Reid, Geoff Mogul and Paul
Vixie at DEC West were managing a "firewall" that most of us
today would term a "dual homed gateway" - users had shell
level access and logged into the device, making /bin/sh a rather
open-ended "proxy."

Most of us would call Presotto's system the first true firewall,
but (as you can imagine) there are a lot of people who want to
stake their claim to various pieces of the puzzle.

On a related and somewhat amusing unhistorical note, the
US Patent Office continues to grant patents for proxy
firewalls. At least once (and sometimes twice) a year, I get
excited calls from lawyers wanting to hire me as a consultant
to help them sue some big firewall vendor or other for
infringing on a ground-breaking idea like proxy transparency
(first shipped in borderguard but simultaneously implemented in
Gauntlet, Centri, and AT&T's firebrick) or content scanning
(first shipped in DEC SEAL - sort of - and later in Secure
Computing Sidewinder's marketing literature, and then a
host of others) etc, etc.  I can't decide whether to laugh or
cry.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards