[fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: Crispin Cowan (crispin@wirex.com)
Date: 08/12/02

From: Crispin Cowan <crispin@wirex.com>
To: Firewall Wizards <firewall-wizards@honor.icsalabs.com>
Date: Mon Aug 12 18:23:17 2002

Is anyone besides me sick to death of hearing about "intrusion
prevention" and "gateway intrusion detection" technologies? These are
devices that sit in-line between the Internet and your LAN, apply
intrusion detection pattern matching rules to the content they see
streaming in to your site, and block the stuff they deem to be "bad."
The canonical example being the Inline SNORT (nee Hogwash) open source

To me, this is a firewall. It is sitting in exactly the same place in
the network topology, performing the same function. It is using new
kinds of rules to distinguish "good" traffic from "bad", but it is
none-the-less a firewall.

I am *not* criticizing the technology. I really like Hogwash. I don't
mean to pick on Hogwash either; it's just more well known than other
proprietary "intrusion prevention" technologies (i.e. I've forgotten the
other vendor's names :) I think it is a *fine* idea to apply the more
conservative, reliable part of IDS techniques to the firewall problem.

I'm just irritated at devices that are fundamentally acting as firewalls
being labeled as some other kind of thing. Technology is hard enough for
people to understand without confounding the problem by labeling similar
devices with different names. So call it a "GIDS Firewall" or a
"Signature Firewall" or something. But lets dispose of "intrusion
prevention" in the tired hype bit bucket.

"'Intrusion Detection' is what you call it when your security mechanism
is so slow, innacurate, or otherwise broken that you cannot actually use
it as an access control policy." -- me :)

Corollary: 'access control' is what you call it when your IDS rules
become fast and precise enough to act like a firewall.

What set me off: reading yet another article about In-line SNORT/Hogwash
that goes on for paragraphs trying to describe the technology without
ever managing to use the word "firewall." Fine technology, confounded


Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Relevant Pages

  • Re: IP GAPPING - Tricky one
    ... port scan, which came back with zero ports open. ... So I guess its kind of like a stateful firewall ... >> "IP Gap Technology ensures access to the connected ... >> computer system is disabled as it creates a virtual GAP ...
  • (no subject)
    ... Gibson is pretty much dead on right. ... And I do know about intrusion detection. ... he rated it as a firewall because it was being pushed as ... whether it's "Black Ice is ...
  • Re: security on iis 5 open port router
    ... And I do know about intrusion detection. ... Gibson was rating BlackIce as a firewall [at a time when BlackIce was ... he rated it as a firewall because it was being pushed as ... whether it's "Black Ice is ...
  • [fw-wiz] Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors
    ... >> their Ericsson phones, and surfing from the airport and WIFI cafes of ... > This is just the technology we already have on hand. ...
  • Re: firewall
    ... I would not necessarily thing that having intrusion detection is such a big ... thing in a small network. ... The security logs on the domain computers can be ... The firewall logs can also be checked ...