[fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: Crispin Cowan (crispin@wirex.com)
Date: 08/12/02

From: Crispin Cowan <crispin@wirex.com>
To: Firewall Wizards <firewall-wizards@honor.icsalabs.com>
Date: Mon Aug 12 18:23:17 2002

Is anyone besides me sick to death of hearing about "intrusion
prevention" and "gateway intrusion detection" technologies? These are
devices that sit in-line between the Internet and your LAN, apply
intrusion detection pattern matching rules to the content they see
streaming in to your site, and block the stuff they deem to be "bad."
The canonical example being the Inline SNORT (nee Hogwash) open source

To me, this is a firewall. It is sitting in exactly the same place in
the network topology, performing the same function. It is using new
kinds of rules to distinguish "good" traffic from "bad", but it is
none-the-less a firewall.

I am *not* criticizing the technology. I really like Hogwash. I don't
mean to pick on Hogwash either; it's just more well known than other
proprietary "intrusion prevention" technologies (i.e. I've forgotten the
other vendor's names :) I think it is a *fine* idea to apply the more
conservative, reliable part of IDS techniques to the firewall problem.

I'm just irritated at devices that are fundamentally acting as firewalls
being labeled as some other kind of thing. Technology is hard enough for
people to understand without confounding the problem by labeling similar
devices with different names. So call it a "GIDS Firewall" or a
"Signature Firewall" or something. But lets dispose of "intrusion
prevention" in the tired hype bit bucket.

"'Intrusion Detection' is what you call it when your security mechanism
is so slow, innacurate, or otherwise broken that you cannot actually use
it as an access control policy." -- me :)

Corollary: 'access control' is what you call it when your IDS rules
become fast and precise enough to act like a firewall.

What set me off: reading yet another article about In-line SNORT/Hogwash
that goes on for paragraphs trying to describe the technology without
ever managing to use the word "firewall." Fine technology, confounded


Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html