Re: [fw-wiz] Firewall Primitives

From: Crispin Cowan (crispin@wirex.com)
Date: 11/06/02


From: Crispin Cowan <crispin@wirex.com>
To: George Capehart <capegeo@opengroup.org>
Date: Wed Nov  6 09:09:41 2002


George Capehart wrote:

>Crispin Cowan wrote:
>
>
>>George Capehart wrote:
>>
>>>This is interesting. So, a firewall really should/could/might be a
>>>multi-layer, multi-protocol switch . . .
>>>
>>>
>>But of course. That's all firewalls ever were, but marketing hates it
>>when people discover that :)
>>
>>
>Doh! OK, I'll buy that. I'd really (in my own way) seen firewalls as being
>more like band-pass filters. But that's probably another discussion. When
>I wrote "switch" I was really thinking "router."
>
>:/g/switch/s//router/g
>
As I was taught, "switch" ::= "level 3" and "router" ::= "level 4".
Firewalls are "whatever freakin' level you like" (see my previous rant
on "intrusion prevention is really firewalls in drag"
<http://lists.insecure.org/firewall-wizards/2002/Aug/0137.html>) so it
amounts to the same thing.

>It really did seem that he was suggesting that the firewall actually
>actively route, as opposed to "look at the packet and drop it if it doesn't
>like it . . ." ;-]
>
And from a security or functionality perspective, why would we care
about the difference?

> So, I really meant to use the term router. That is a
>step beyond the "throw it in the bit bucket if I don't like it" function
>
The "routing" function I had in mind was for "service networks", i.e.
DMZ's as served off a firewall with 3 NICs.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"