Re: [fw-wiz] Firewall Primitives

From: Chris Calabrese (
Date: 11/05/02

From: Chris Calabrese <>
To: Crispin Cowan <>
Date: Tue Nov  5 16:33:17 2002

Hey Crispin,

I know you were at least half kidding from your :-), but I had to rebut

Certainly there are examples of firewalls that are little more than a
multi-layer, multi-protocol switch with some basic access control
rules. And lots of special purpose firewalls or "lite" firewalls for
SOHO use still look like this (my home firewall looks like this, plus
some support for NATing IPsec and a bult-in wireless access point, but
it does exactly what I needed it to and only cost about $200 - and
don't bother flaming about the wireless bit either).

On the other hand, trying to market something like that today probably
wouldn't fly in the enterprise firewall market. There the definition of
"firewall" has already expanded to cover stateful rules for handling
tortured protocols like RealAudio, VPN support, rudimentary intrusion
alerting, and hooks for web content filters, spam filters, virus
filters, etc.

I expect that the future of enterprise firewalls holds more advanced
intrusion detection/prevention capabilities (Sidewinder, Netscreen, and
the CrunchBox are leaders here), more integrated web content filters,
spam filters, and malware filters (Symantec comes to mind on this one),
and maybe even some basic honeypot capabilities for evidence gathering
(something Marcus and I discussed a couple of weeks ago at SANS Network

So... Yes, some firewalls are simplistic. And yes, some marketing guys
try to cover things up.

But no, that doesn't mean that all firewalls are simplistic, that all
marketing people try to cover things up, or that people would buy such
a thing today.

And yes, I'm avoiding the urge to end with a witicism about one or more
of these truisms...

Do you Yahoo!?
HotJobs - Search new jobs daily now

Relevant Pages

  • RE: CodeRed Observations.
    ... Check your filters. ... filter that doesn't show the handshake, so that you can concentrate on the ... >> up at my firewalls without ever establishing a TCP three ... > Take back your personal time. ...
  • Re: Protocol Specific Intrusion Detect/Prevention Systems.
    ... lists, mainly asking about firewalls and filters. ... Well, for some time now I have been researching within the realm of filters, ... IDSs and IPSs for limitations within these areas for my ...
  • Re: Hardware Firewall Recommendation
    ... >>Some firewalls use application proxies rather than packet filters. ... specifying url filters to prevent uploads/downloads of specific urls ...
  • Re: Possible to use mail command nowadays?
    ... and a lot of us sitting behind proxies and/or firewalls, with our spam ... filters, are you one of the rare ones that are still able to use the ...
  • Re: [fw-wiz] Disecting the Cisco PIX
    ... Cisco PIX is technically at the low end of packet filtering routers ... built this way. ... According to a market analysis, there are more such boxes running ... firewalls. ...