Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 05/21/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..." 
    To: Tichomir Kotek <tichomir.kotek@lynx.sk>, Chris Byrd <cbyrd01@gmail.com>
Date: Fri, 20 May 2005 21:34:48 -0400

    Tichomir Kotek wrote:
    >actually IDS/IPS is handled in separate module, where you can "route"
    >traffic flows for inspection, so at least this do not overload central CPU.

    All of the "Deep packet inspection" firewall/switches that I have
    seen default to "inspection off" and require user configuration
    to turn it on. Presumably that's because there's a big performance
    hit when you're no longer doing fast-path processing and change
    over to "deep" inspection.

    "Deep Packet Inspection" is complete marketing malarkey. Basically
    you have a switch with a lame-O "stateful" firewall and a handful of
    IDS signatures added with the ability to attach a blocking rule when
    they match. Some of these "deep inspection" devices "know" about
    dozens - yes, DOZENS - of different attacks. Some of them know
    how to do minimal application protocol error tracking ("protocol
    anomaly detection") on as many as 6 whole application protocols.
    That's not "intrusion prevention" and it's not "deep" anything. It's
    bogo-security. Customers, of course, lap it up because they are
    happy to remain ignorant as long as vendors offer them something
    that looks like a panacea (at least on powerpoint) that has "virtually
    no performance impact." Well, it's got "virtually no security value"
    either.

    One of my clients was looking at one of the "Deep Inspection"
    firewalls compared to a proxy firewall, and I did a short write-up
    for them, that's on:
    http://www.ranum.com/security/computer_security/editorials/deepinspect
    in case anyone wants a more fleshed out view on why deep
    inspection is just another fundamentally flawed "default permit"
    security "feel good" device.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Deep Inspection Firewall / IPS
      ... I'm trying to get my company to buy a firewall with deep-inspection ... inspection firewall/IPS - because a stateful packet inspection will ... For example for a web server - you close off all the ports except port ... would inspect this - hence the need for deep packet inspection/IPS. ...
      (Security-Basics)
    • Re: What do you think of my acces list?
      ... These ACEs would not be necessary if you were using "inspection" on an internal interface to provision the return path (temporary dynamic holes in the firewall). ... " permit udp any eq domain any " ... If you were trying to accommodate DNS "responses" resulting from queries initiated by internal clients, I would have expected the generic UDP inspection to provision the return path for this return traffic. ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] Firewalls that generate new packets..
      ... depend upon either statelessness or guessing the next sequence ... than a "stateful" firewall. ... Is "deep packet inspection" stream inspection? ... I am not convinced that the vendors that are selling "deep packet ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Firewalls that generate new packets..
      ... behind the firewall then it's a layer-7 problem for the service ... regexp match causes packet drop ... is exactly why I used the term "placebo" for "stateful ... inspection"; accupuncture patients report the same degree ...
      (Firewall-Wizards)
    • Re: Kerio PFW 2.14 - Safe?
      ... If Kerio 2.14/5 states it's stateful, ... inspection is a type of inspection... ... the rules set the firewall applies. ...
      (comp.security.firewalls)