Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
From: M. Dodge Mumford (dodge_at_dmumford.com)
Date: Fri, 20 Aug 2004 08:56:37 -0400 To: Rob Shein <email@example.com>
Rob Shein said:
> At first, there were packet filters, which only cared about what ports were
> used and which hosts were talking; they were ignorant with regard to
> connection state, fragmentation, or any other aspects of the communication.
> And they failed to account for services like FTP, where an outside host
> needs to open a second inbound channel on an unpredictable port to the
> server. But it definitely cut back on the exposure of a network to outside
Actually, you missed the first step -- proxy firewalls. They used their
host's TCP stack, could readily handle secondary channels for services where
proxies chad been written. The boxes were expected to be bastions -- to
actually block traffic, and to fall over if attacked with sufficient vigor
(thus protecting the critical resources). But they were slow compared to
the packet filters and stateful inspection firewalls. The vendors failed to
demonstrate how they could mitigate attacks that the market failed to
appreciate (or decided the cost outweighed the risk). They would have been
an ideal place to perform the checks that prevention systems are now moving
towards, but are treated as tubercular lepers.
As Ron Gula mentions, enterprise firewalls are expected to have a certain
(large) feature set. By referring to this new breed of stuff as being "kinda
like a firewall", vendors get to create an entire new buzzphrase (rest in
peace, lowly buzzword), and not have to directly compete with the big guys
who dominate that space. IPS vendors don't have to feel bad about not being
a VPN endpoint, proxies, etc. Yet.
It seems to me the meaning of "firewall" has long since been extended to
mean just about anything that has the ability to block traffic.
-- Dodge, who works for a vendor in the market. Add salt.
- application/pgp-signature attachment: stored