Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

From: M. Dodge Mumford (
Date: 08/20/04

  • Next message: Travis Schack: "Re: portsentry"
    Date: Fri, 20 Aug 2004 08:56:37 -0400
    To: Rob Shein <>

    Rob Shein said:
    > At first, there were packet filters, which only cared about what ports were
    > used and which hosts were talking; they were ignorant with regard to
    > connection state, fragmentation, or any other aspects of the communication.
    > And they failed to account for services like FTP, where an outside host
    > needs to open a second inbound channel on an unpredictable port to the
    > server. But it definitely cut back on the exposure of a network to outside
    > attackers.

    Actually, you missed the first step -- proxy firewalls. They used their
    host's TCP stack, could readily handle secondary channels for services where
    proxies chad been written. The boxes were expected to be bastions -- to
    actually block traffic, and to fall over if attacked with sufficient vigor
    (thus protecting the critical resources). But they were slow compared to
    the packet filters and stateful inspection firewalls. The vendors failed to
    demonstrate how they could mitigate attacks that the market failed to
    appreciate (or decided the cost outweighed the risk). They would have been
    an ideal place to perform the checks that prevention systems are now moving
    towards, but are treated as tubercular lepers.

    As Ron Gula mentions, enterprise firewalls are expected to have a certain
    (large) feature set. By referring to this new breed of stuff as being "kinda
    like a firewall", vendors get to create an entire new buzzphrase (rest in
    peace, lowly buzzword), and not have to directly compete with the big guys
    who dominate that space. IPS vendors don't have to feel bad about not being
    a VPN endpoint, proxies, etc. Yet.

    It seems to me the meaning of "firewall" has long since been extended to
    mean just about anything that has the ability to block traffic.

    Dodge, who works for a vendor in the market. Add salt.

  • Next message: Travis Schack: "Re: portsentry"

    Relevant Pages

    • RE: N00b Question
      ... For instance I-Tunes: I-Tunes has built in Internet Radio which can ... I use Websense to block HTTP and other ports. ... Ethereal Logs and you'll easily be able to identify which hosts those ... block site IPs in your firewalls (PIX firewalls are almost all, ...
    • Re: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
      ... no OS that listens on ports ... and firewalls can defend against all ... The only attack that you can pull on a ... More and more ISPs are blocking port 135 ...
    • Re: Linksys router with xp network
      ... What firewalls did you turn off? ... and the mentioned ports only opened for the assigned ip addresses. ... Don't disable SSID broadcast - some configurations require the SSID broadcast. ... Install a software firewall on every computer connected to a wireless LAN. ...
    • RE: The RPC,server is unavailable
      ... Firewalls buddy - what is your firewall structure like? ... Have you configured any special ports to be used by RPC or have you left it ... Unable to obtain Terminal Server User Configuration. ...
    • Re: iChat firewall question
      ... 16384-16403 - Audio/video chats use ports in this range to move ... If your ports are open for outbound-only connections (e.g. behind a home ... I had a problem with outbound iChat ports through a firewall. ... in the general case with firewalls that do not support "consistent NAT ...