I spent an interesting and unique 2 days this week with some fascinating people in the computer security field. Though I was a member of the faculty, there were no class rooms and no formal instruction. Instead the other faculty and I acted as facilitators of discussion groups made up of the members who are from a cross-section of the public and private sector. As The Institute's web page says, "The Forum's curriculum is modeled on the Harvard Business School teaching method, which emphasizes real-world, case-based discussions that yield tangible, usable techniques and insights. In order to create an intimate discussion environment, enrollment is limited to only 100 qualified network security professionals." It was sort of like what I envision "Renaissance Weekend" to be like, except without the Clintons (and so more enjoyable, at least for me), and made up of really smart people with varying experience and maturity in our field. When we started I knew about 5 people there, including a few of the faculty. When we left -- after only two days -- I felt as if leaving 80 colleagues.

The calendar for 2004 is available at http://www.ianetsec.com.

Do firewalls just filter on IP packet header information? This was asserted by a few people on a panel of security solution providers, perhaps mostly by the IDS and SIM vendors. This panel discussion, which I moderated, was at the New York Metro Network Security Forum of The Institute for Applied Internet Security (which I talk about here).

Okay, the answer is "heck no." How did we get here? Why do we think this? First, a brief history (which you can find in a presentation at FirewallsHistory.html). The first security firewalls were built on routers with static packet filtering, making decisions of PERMIT and DENY based on the packet header (source, destination, packet type, port). Most modern firewalls simply add dynamics, allowing for decisions based on whether the session was already initiated. Still, it is true that these firewalls know nothing about the applications running through them. But, those are not the only types of firewalls. Firewalls have been able to make application-specific decisions since the first application gateway firewalls hit the Internet in the early 1990s.

So, why do people think firewalls require IDS? Because the top-selling firewalls have for the past 8 to 10 years promoted usability and administration over security. Not overtly, but when the former are promoted, the thing that gives is the latter.

Check out the above mentioned presentation, if you like. You also might be interested in fw2hundred.html, apgw+spf.html, and this article from Information Security Magazine, 1999.