There's been a recent Shmoo conversation about how firewalls evolved from being application proxies, to packet filters and now are re-evolving back to proxy servers (and how much of the first evolution to packet filters was due to marketing by Checkpoint). The below post by Crispin Cowan was such a good summary that I felt the need to repost it here:
IMHO, this happened only partially because of Checkpoint marketing bullshit. There is actually a sound technical reason:
- In the beginning, "firewalls" were gateway devices that mediated traffic between networks, e.g. MJR's firewall toolkit.
- Then came Checkpoint and the packet filter. For efficiency, convenience, and marketing reasons, Checkpoint ate the proxy firewall's lunch.
- Then attackers moved up the stack, and firewalls had to follow, but they couldn't continue calling it a "firewall", they had to call it something new so they could explain why they didn't just do it MJR's way in the first place
But the packet filter was more than just a cheap hack. What had really been discovered is that there is very strong regularity in traffic up to layer 4. MACs, IPs, ports, and protocols; the "good" stuff we want is easily discerned from the "bad" stuff we don't, and so you can deploy a "default deny" filter with relatively little pain.
Above layer four, regularity goes to hell. There's a zillion applications out there, and six new ones a day. As a direct consequence, you cannot deploy a "default deny" network policy, unless your social policy is "no new applications unless management and the network security admin explicitly permit it."
Frustrating as it may be, this situation is quite natural: the application layer is hugely complex, there is no free lunch, and you either have the inflexibility of default deny, or the insecurity of default allow.
IPS's & such end up functioning as flaky firewalls. They are mostly good at blocking attacks against known vulnerabilities and exploits, and other than that they suck ass.
So why would a site want a flaky firewall that only stops known exploits? Because patching is a bitch. There are lots of reasons why you cannot apply a patch right now when it is announced, and wouldn't it be nice if you could fend off the wave of attacks that are about to hit you without having to disrupt operations with a patch you can't handle right now?
So don't think of IPS as magic security pixie dust. Think of it as a kludge to cover for your inadequate patching procedures.
