Re: [fw-wiz] Firewall Primitives

From: Crispin Cowan (
Date: 11/06/02

From: Crispin Cowan <>
To: George Capehart <>
Date: Wed Nov  6 09:09:41 2002

George Capehart wrote:

>Crispin Cowan wrote:
>>George Capehart wrote:
>>>This is interesting. So, a firewall really should/could/might be a
>>>multi-layer, multi-protocol switch . . .
>>But of course. That's all firewalls ever were, but marketing hates it
>>when people discover that :)
>Doh! OK, I'll buy that. I'd really (in my own way) seen firewalls as being
>more like band-pass filters. But that's probably another discussion. When
>I wrote "switch" I was really thinking "router."
As I was taught, "switch" ::= "level 3" and "router" ::= "level 4".
Firewalls are "whatever freakin' level you like" (see my previous rant
on "intrusion prevention is really firewalls in drag"
<>) so it
amounts to the same thing.

>It really did seem that he was suggesting that the firewall actually
>actively route, as opposed to "look at the packet and drop it if it doesn't
>like it . . ." ;-]
And from a security or functionality perspective, why would we care
about the difference?

> So, I really meant to use the term router. That is a
>step beyond the "throw it in the bit bucket if I don't like it" function
The "routing" function I had in mind was for "service networks", i.e.
DMZ's as served off a firewall with 3 NICs.


Crispin Cowan, Ph.D.
Chief Scientist, WireX            
Security Hardened Linux Distribution:
Available for purchase:
			    Just say ".Nyet"

Relevant Pages

  • Re: Port 67 UDP Problem
    ... >> nodes that are listening know that its node is now online. ... >> cables are connected, etc. I've seen similar things working on ... computers that I've got firewalls on not want to work properly when they ... The part you missed is "discover its own IP address", ...
  • Re: [fw-wiz] Firewall Primitives
    ... That's all firewalls ever were, ... > when people discover that:) ... Doh! ... "We did a risk management review. ...