[Snort-users] SNORT vs Firewall
ohdamnthathurts at ...131...
Tue Mar 27 12:19:37 EST 2001
Most times people talk about the two kinds of firewalls but I think that the
third category should be a packet filtering with stateful inspection.
Stateful inspection firewalls give you the ability to add rules that do more
than evaluate individual packets. They keep a history (state table) that
allows decisions to be made based upon packets that have already passed.
Example: An FTP server tries to make a connection back to you when you try
to download a file (in active mode). The stateful firewall will let this
through because it has seen that you (the 'inside' client being protected)
already started an FTP session with the server.
Another example is the governing of UDP traffic. UDP doesn't have all those
nice handshaking flags that TCP uses to let you determine the 'direction' of
a conversation. A regular packet filter firewall may just have to forward a
lot of UDP traffic. Stateful firewalls make sure that anybody that sends
their clients UDP packets have to so as part of an established
'conversation' that the client started.
BTW: I'm pretty sure I got my facts right about this stuff, but I don't take
that for granted. Please correct me where I'm wrong.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Lotlikar,
Sent: Monday, March 26, 2001 11:34 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] SNORT vs Firewall
thanx for ur prompt help.
well i believe a packet filtering firewall works at the network level. most
packet filtering is done on the router. the drawback being that a packet
filter can't protect against spoofed attacks
i msut admit that i'm not very sure bout a proxy firewall. i think a proxy
firewall is more like screening the traffic at the application level.
the drawback being that there have to be proxy versions for the protocols.
> From: Berend De Schouwer[SMTP:bds at ...1654...]
> Reply To: bds at ...1654...
> Sent: Saturday, March 24, 2001 6:31 PM
> To: Lotlikar, Sushant
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] SNORT vs Firewall
> On Sat, 24 Mar 2001 13:52:04 "Lotlikar, Sushant" wrote:
> | hi every1,
> | i just wanted to know wats the difference between an IDS like snort and
> | FIREWALL.
> An IDS looks at packets and alerts you. An IDS looks for abuses
> of certain applications, or of the TCP/IP protocol suite. An IDS
> can examine network traffic (like Snort), or examine system calls on
> a host (like LIDS).
> A Firewall looks at packets and blocks them. A firewall deals
> with allowing or disallowing certain services or applications to run
> on a network.
> They compliment each other: I want to allow DNS traffic, so
> I setup my firewall to allow DNS, but I want to watch for people
> trying to hack my DNS server, so I use an IDS to watch my DNS
> A good firewall will run an IDS as well to protect itself, although
> one that is less resource hungry than Snort. Its not a good idea
> to rely entirely on one product. There is no magic bullet.
> | thanx for help,
> Well, now we get to finer definitions: Under Firewall, do you understand
> a packet filter, a proxy firewall, or both? :)
> | sushant . . .
> | _______________________________________________
> | Snort-users mailing list
> | Snort-users at lists.sourceforge.net
> | Go to this URL to change user options or unsubscribe:
> | http://lists.sourceforge.net/lists/listinfo/snort-users
> | Snort-users list archive:
> | http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Kind regards,
> Berend De Schouwer, +27-11-712-1435, UCS
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users