Re: [fw-wiz] Firewalls Compared
From: Crispin Cowan (crispin_at_immunix.com)
To: Eugene Kuznetsov <email@example.com> Date: Wed, 30 Jun 2004 05:22:19 -0700
Eugene Kuznetsov wrote:
>Hmm, I do not think that "firewall" is the right term for devices that
>operate at layer 7 or "layer 8". Not on grounds of technical correctness,
>but of common usage.
On the contrary, I think that "firewall" is exactly the right word for a
box that mediates access between networks, regardless of the layer it
inspects. In point of fact, the original firewalls (application proxy
firewalls) did do level 7 and 8 inspection. The penchant for for
firewalls that inspect only up to layer 4 is a relatively recent
"innovation" from the mid-90s with the introduction of packet filter
> If a big challenge for making a more secure world is
>information and education about threats and best practices, the term
>"firewall" does more harm than good. One man's application firewall is
>another woman's application proxy and someone else's packet filter.
For exactly the same education reasons of referring to similar function
devices with similar names, I vehemently object to characterizing
network intrusion prevention devices of any kind as anything *but*
firewalls. They can be "deep inspection firewall" or "layer 8 firewall"
or any other kind of "spiffy keen new-improved firewall." Anyone who
tries to tell you that a device that mediates between two networks is
"not a firewall" is selling something.
It is not that hard to understand or classify. All devices that mediate
between networks are firewalls, and to distinguish between the levels of
inspection they do you use qualifying terms:
* packet filter firewall: stateless inspection of packets.
* stateful packet filter firewall: stateful inspection of packets.
* proxy firewall: reconstructs full connection requests to the
application layer before passing them on, or not.
* deep inspection firewall: synthesizes an approximation of the
application-layer semantics of a connection. Strikes me as vaguely
analogous to stateful packet inspection, but for higher layers.
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards