Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name

From: Marcus J. Ranum (
Date: 08/12/02

To: Crispin Cowan <>, Firewall Wizards <>
From: "Marcus J. Ranum" <>
Date: Mon Aug 12 20:09:31 2002

Crispin Cowan wrote:
>Is anyone besides me sick to death of hearing about "intrusion prevention" and "gateway intrusion detection" technologies?

It doesn't bother me. :)

It's just marketing idiots doing thier thing. I can tell you
_exactly_ how it happened. Some company builds a useful IDS/Firewall
thingum and one of their marketing idiots says "I KNOW! Rather
than compete on feature comparisons, quality, and price, let's
DEFINE A NEW CATEGORY OF THE MARKET and then we won't have any
competitors and our investors/shareholders will be impressed and
nobody will ask us 'is Checkpoint going to eat your lunch?'!!!"
And sometimes it works if they pay the Gartner/Giga/etc researchers
off enough to spin it as a separate category and list them as
visionaries. During the Internet Bubble most companies changed
their focus from being technology companies that market to
technical folks. Now they are technology companies that market
to unsophisticated end users, analysts, and stock pickers - a
non-technical constituency that is impressed by big fancy sounding

Why have a hammer when you can have an "inertially compensated
enhanced linear impact generator"!!! Hey! That's a whole new
market segment waiting to be explored!!!

>To me, this is a firewall.

        VPN routers
        URL filters
        boundary antivirus
        caching proxies

are all the same thing, from a sufficiently high level. There are
feature sets that many of these have in common (signatures, logging,
filtering, alert processing, data decoding, protocol decoding, deception)
etc that could easily integrate into a single box. A commercial entity
would have a hard sell doing so, unless they were adequately funded to
develop and market a technology that competed with, basically, the
entire security products market.* Doing it right (so it'd be fast and
efficient) would mean building the complete system from scratch so
the components would work together smoothly: you couldn't build
it by buying one of each and glueing them together.

So, yes, the "intrusion prevention" products are really just antivirus
shims, firewall shims, and some IDS protocol decoding and logic. As
you say, that doesn't make it bad. It's just the marketing idiots
that bug you. That just shows that you're normal, and have a working
brain. ;)

(* except for the PKI guys but nobody cares about them anymore)

Marcus J. Ranum
Computer and Communications Security