Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name

["M. Dodge Mumford" <dodge () dmumford com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 12 Aug 2002, Crispin Cowan wrote:

> Is anyone besides me sick to death of hearing about "intrusion
> prevention" and "gateway intrusion detection" technologies?

Occasionally I grow weary of many labels, whether they're applied to
security devices, styles of painting, or music. Then I remember that people
who aren't experts at things need to put like things together. When they
realize they need or want a thing, they look at the different options
available. Creating new categories (or market segments) can help new
technologies get off the ground. Sure it creates confusion at first, but in
that confusion you can get your foot in the door and make your product
better.

As far as I can tell, the main reason most firewalls haven't advanced
particularly is because a very narrow definition of what a firewall must be
has been commonly accepted. It appears the definition of what a firewall
must be is something along the lines of "A gateway that filters network
traffic based on static rules about which hosts may communicate using
specific protocols and specific ports". If that is accepted as a definition
for a firewall, then when a consultant is setting up a network and they need
to make sure the auditors will fill in the "Firewall" checkbox, they are
going to want to make sure they get a device that sends data through fast
and has a usable GUI. "Who cares if it's defragmenting packets and checking
TCP sequence numbers, can I hit my full bandwidth and generate pretty
reports?"

I find it surprising that there aren't (more? any?) gateway devices that
will defragment traffic, create new TCP ISN's (preferably using an onboard
random number generator), check TCP sequences, implement "firewall-like
rules" <cough>, and make it easy to do higher-level blocking. Higher-level
to me means things like blocking specific websites and stripping unknown
tags from HTML; blocking email messages that are known spam or contain MS
executables; making sure that idle SSH sessions timeout; unmangling DNS
requests before resending them.

Attacks are happening at (nearly) all the layers and firewalls appear to be
happily ignoring them. That's what is letting these "new technologies"
happen.


Dodge
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1YX5kACgkQ1Ei74z0N/5k9cgCgv/kfWajmuZbQtetbbSLkJvnb
ak4AoIAJiI5r6u95BLV0eLDAplJICSyI
=OxL+
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards