Re: Firewall opinions wanted please

[Rachael Treu <rara () navigo com>]

On Wed, Mar 17, 2004 at 12:19:53PM -0500, Eric Gauthier said something to the effect of:
> > > _Everyone_ (network connected) should have a firewall.  My grandma should 
> > > have a firewall.  Nicole, holding dominion over this business network and 
> > > its critical infrastructure, should _definitely_ have a firewall.  ;)
>
> By "firewall", do you mean "dedicated unit that does statefull filtering"

No.

> or just "something that will block packets"?  We've successfully argued
> to just about every group here at our University who came to us asking for a 
> "firewall" that, given what they wanted to achieve, they could accomplish the 
> same thing with simple ACLs...  

  fire'wall    
1. A fireproof wall used as a barrier to prevent the spread of fire. 
2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a 
computer network or that monitor transfers of information to and from the network. 
> I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall 
> also helped them in their decision...

This is just a semantic issue.  I am putting any packet-level inspection
engine deployed as an access control means into the category of "firewall."
The confusion here would be akin to my retorting with "how on earth are 
deploying lists of system object access rights going to protect a network
edge?"  ;)  ACL has alternate meanings, as well[1].

A sample of what some vendors call some things:

Cisco: router packet-level access control = ACL
Microsoft: OS object permissioning schema = ACL
Linksys: router packet-level access control = firewall
Juniper: router packet-level access control = firewall filter

:)

*,
--ra
[1]http://whatis.techtarget.com/definition/0,289893,sid9_gci213757,00.html

-- 
k. rachael treu, CISSP       rara () navigo com
..quis costodiet ipsos custodes?..

> Eric :)