Great Circle Associates Firewalls
(September 1995)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: "Part of the Whole" - Firewalls
From: janken @ rust . net (Millennium Consulting)
Date: Tue, 26 Sep 1995 07:22:07 -0700
To: afoss @ translation . com
Cc: firewalls @ greatcircle . com, sedayao @ argus . intel . com

>Andrew Foss's comments
>People always come to us and ask about our "firewall". My first response is
>we don't make a "firewall", we make a system which can be an important
>component of a firewall.
>I believe that if anyone ever claims to make 1 system that is the whole
>firewall, it's inherently flawed.
>We need terms to differentiate "the firewall" meaning the whole system by
>which you protect your network and "a firewall product", which provides a
>piece of the solution(e.g. filtering router, proxy server, address
>translator, bastion host, DMZ, etc.).
>I hate calling our system a "firewall", because it's only a piece, but for
>marketing reasons, it's clearly the term people are used to hearing.
>Anyone have any better or more clear terminology suggestions? I'd love to
>hear 'em.
Since our industry stole Firewall terminology from the construction industry
it may help to review their definitions.

FIRESTOP   A component used to block an open space enclosed in a wall that
would provide a path for flames through the wall.

FIREWALL   A wall constructed of fire resistant (time/temperature rated)
materials used to keep a fire from spreading beyond a specified area.

The point here is that electronic firewalls are built of resistant materials
just like building walls.  A 1 hour fire-rated building wall will only
provide protection for 1 hour because of the material used in its
construction.  Our electronic firewalls are built of multiple components and
must be rated based on our experience with those components (the people on
this list comprise the "Underwriters Labs" for firewalls).  

I do not think most people would like to use the FIRESTOP term to describe
an electronic "FIREWALL" device (e.g. filtering router, proxy server, address
translator, bastion host, DMZ, etc.).  It unfortunatly is more correct from
a logic perspective.

<Jeffrey C. Sedayao comments 
<I suggest that you call the whole system you are trying to protect a 
<"perimeter", and that firewalls are pieces of the perimeter.  You can also 
<have several perimeters nested inside of each other, each perimeter
<possibly having several firewalls.   

I hate discussing perimeters with management.  Most upper-managers do not
understand the border crossings when presented in that context (nested
perimeters). One of the reasons the firewall terminology works is that the
CEO can put his hands on one. 

My $.02      Ken        

Indexed By Date Previous: Re: Just when you thought http proxies were good enough...
From: "Bryan D. Boyle" <bdboyle @ maverick . erenj . com>
Next: Re: Just when you thought http proxies were good enough...
From: Alan Dowd <adowd @ inms-db . os . dhhs . gov>
Indexed By Thread Previous: Re: "Part of the Whole" - Firewalls
From: "Jim Carroll" <jcarroll @ wellspring . us . dg . com>
Next: IBM NetSP Firewalls
From: Mike Powdermaker <Mike_Powdermaker @ mckinsey . com>

Search Internet Search