Re: [fw-wiz] Firewalls Compared

From: Crispin Cowan (
Date: 06/30/04

  • Next message: Jim Seymour: "RE: [fw-wiz] Firewalls Compared"
    To: Eugene Kuznetsov <>
    Date: Wed, 30 Jun 2004 05:22:19 -0700

    Eugene Kuznetsov wrote:

    >Hmm, I do not think that "firewall" is the right term for devices that
    >operate at layer 7 or "layer 8". Not on grounds of technical correctness,
    >but of common usage.
    On the contrary, I think that "firewall" is exactly the right word for a
    box that mediates access between networks, regardless of the layer it
    inspects. In point of fact, the original firewalls (application proxy
    firewalls) did do level 7 and 8 inspection. The penchant for for
    firewalls that inspect only up to layer 4 is a relatively recent
    "innovation" from the mid-90s with the introduction of packet filter

    > If a big challenge for making a more secure world is
    >information and education about threats and best practices, the term
    >"firewall" does more harm than good. One man's application firewall is
    >another woman's application proxy and someone else's packet filter.
    For exactly the same education reasons of referring to similar function
    devices with similar names, I vehemently object to characterizing
    network intrusion prevention devices of any kind as anything *but*
    firewalls. They can be "deep inspection firewall" or "layer 8 firewall"
    or any other kind of "spiffy keen new-improved firewall." Anyone who
    tries to tell you that a device that mediates between two networks is
    "not a firewall" is selling something.

    It is not that hard to understand or classify. All devices that mediate
    between networks are firewalls, and to distinguish between the levels of
    inspection they do you use qualifying terms:

        * packet filter firewall: stateless inspection of packets.
        * stateful packet filter firewall: stateful inspection of packets.
        * proxy firewall: reconstructs full connection requests to the
          application layer before passing them on, or not.
        * deep inspection firewall: synthesizes an approximation of the
          application-layer semantics of a connection. Strikes me as vaguely
          analogous to stateful packet inspection, but for higher layers.


    Crispin Cowan, Ph.D.
    CTO, Immunix
    firewall-wizards mailing list

  • Next message: Jim Seymour: "RE: [fw-wiz] Firewalls Compared"

    Relevant Pages

    • [fw-wiz] ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall
      ... > firewalls, and kept there. ... to protect our customers (absence of funds and man-power always figure ... policy on my residential networks. ... The big issue from a business standpoint is that popular opinion seems to ...
    • Re: Unexplained wan/lan activity
      ... >> firewalls and networks and such. ... A little while ago I noticed wan activity going on, ... > windows try a packet ...
    • Re: Network Design
      ... Good for VPN setups and can range from low end firewalls, for small networks, up to much bigger systems for large corporate networks. ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
    • Re: OT: Cisco Equipment
      ... I need to learn how to use some firewalls and stuff. ... Suppose you have a front door to your ... loads of networks, different infrastructures, and different systems. ... cisco box and it is definatly different!) ...
    • Firewall With Best Rule Organization Metaphor?
      ... Which firewalls have the best rule organization metaphor in their GUI for ... scale their rulesets to hundreds of rules and dozens of different networks ... rules that apply to logical groups of hosts or networks (these could ... Broad rules that you establish early in the ruleset can unintentionally ...