Re: [fw-wiz] Firewall Primitives

From: Crispin Cowan (crispin@wirex.com)
Date: 11/06/02

Next message: Philip J. Koenig: "Re: [fw-wiz] Interlopers on the WLAN"
Previous message: Roger Marquis: "[fw-wiz] Re: Interlopers on the WLAN"
In reply to: George Capehart: "Re: [fw-wiz] Firewall Primitives"
Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Firewall Primitives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Crispin Cowan <crispin@wirex.com>
To: George Capehart <capegeo@opengroup.org>
Date: Wed Nov  6 09:09:41 2002

George Capehart wrote:

>Crispin Cowan wrote:
>
>
>>George Capehart wrote:
>>
>>>This is interesting. So, a firewall really should/could/might be a
>>>multi-layer, multi-protocol switch . . .
>>>
>>>
>>But of course. That's all firewalls ever were, but marketing hates it
>>when people discover that :)
>>
>>
>Doh! OK, I'll buy that. I'd really (in my own way) seen firewalls as being
>more like band-pass filters. But that's probably another discussion. When
>I wrote "switch" I was really thinking "router."
>
>:/g/switch/s//router/g
>
As I was taught, "switch" ::= "level 3" and "router" ::= "level 4".
Firewalls are "whatever freakin' level you like" (see my previous rant
on "intrusion prevention is really firewalls in drag"
<http://lists.insecure.org/firewall-wizards/2002/Aug/0137.html>) so it
amounts to the same thing.

>It really did seem that he was suggesting that the firewall actually
>actively route, as opposed to "look at the packet and drop it if it doesn't
>like it . . ." ;-]
>
And from a security or functionality perspective, why would we care
about the difference?

> So, I really meant to use the term router. That is a
>step beyond the "throw it in the bit bucket if I don't like it" function
>
The "routing" function I had in mind was for "service networks", i.e.
DMZ's as served off a firewall with 3 NICs.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"

application/pgp-signature attachment: stored

Next message: Philip J. Koenig: "Re: [fw-wiz] Interlopers on the WLAN"
Previous message: Roger Marquis: "[fw-wiz] Re: Interlopers on the WLAN"
In reply to: George Capehart: "Re: [fw-wiz] Firewall Primitives"
Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Firewall Primitives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Port 67 UDP Problem
... >> nodes that are listening know that its node is now online. ... >> cables are connected, etc. I've seen similar things working on ... computers that I've got firewalls on not want to work properly when they ... The part you missed is "discover its own IP address", ...
(comp.security.firewalls)
Re: [fw-wiz] Firewall Primitives
... That's all firewalls ever were, ... > when people discover that:) ... Doh! ... "We did a risk management review. ...
(Firewall-Wizards)