Do firewalls just filter on IP packet header information? This was asserted by a few people on a panel of security solution providers, perhaps mostly by the IDS and SIM vendors. This panel discussion, which I moderated, was at the New York Metro Network Security Forum of The Institute for Applied Internet Security (which I talk about here).

Okay, the answer is “heck no.” How did we get here? Why do we think this? First, a brief history (which you can find in a presentation at FirewallsHistory.html). The first security firewalls were built on routers with static packet filtering, making decisions of PERMIT and DENY based on the packet header (source, destination, packet type, port). Most modern firewalls simply add dynamics, allowing for decisions based on whether the session was already initiated. Still, it is true that these firewalls know nothing about the applications running through them. But, those are not the only types of firewalls. Firewalls have been able to make application-specific decisions since the first application gateway firewalls hit the Internet in the early 1990s.

So, why do people think firewalls require IDS? Because the top-selling firewalls have for the past 8 to 10 years promoted usability and administration over security. Not overtly, but when the former are promoted, the thing that gives is the latter.

Check out the above mentioned presentation, if you like. You also might be interested in fw2hundred.html, apgw+spf.html, and this article from Information Security Magazine, 1999.