Re: [fw-wiz] Firewall Primitives

From: Crispin Cowan (
Date: 11/06/02

From: Crispin Cowan <>
To: George Capehart <>
Date: Wed Nov  6 09:09:41 2002

George Capehart wrote:

>Crispin Cowan wrote:
>>George Capehart wrote:
>>>This is interesting. So, a firewall really should/could/might be a
>>>multi-layer, multi-protocol switch . . .
>>But of course. That's all firewalls ever were, but marketing hates it
>>when people discover that :)
>Doh! OK, I'll buy that. I'd really (in my own way) seen firewalls as being
>more like band-pass filters. But that's probably another discussion. When
>I wrote "switch" I was really thinking "router."
As I was taught, "switch" ::= "level 3" and "router" ::= "level 4".
Firewalls are "whatever freakin' level you like" (see my previous rant
on "intrusion prevention is really firewalls in drag"
<>) so it
amounts to the same thing.

>It really did seem that he was suggesting that the firewall actually
>actively route, as opposed to "look at the packet and drop it if it doesn't
>like it . . ." ;-]
And from a security or functionality perspective, why would we care
about the difference?

> So, I really meant to use the term router. That is a
>step beyond the "throw it in the bit bucket if I don't like it" function
The "routing" function I had in mind was for "service networks", i.e.
DMZ's as served off a firewall with 3 NICs.


Crispin Cowan, Ph.D.
Chief Scientist, WireX            
Security Hardened Linux Distribution:
Available for purchase:
			    Just say ".Nyet"