Recently, I've been taking a look at a few new IDS/IDP products for an upcoming article. The most interesting part of the experience has been the glaring illustration of where IDP is destined. The most effective IDS/IDP solutions are really layer-7 firewalls without NAT and VPN termination. In the near future, we will see products marketed as firewalls that will be able to filter as generally as layer 3, and as Recently, I’ve been taking a look at a few new IDS/IDP products for an upcoming article. The most interesting part of the experience has been the glaring illustration of where IDP is destined. The most effective IDS/IDP solutions are really layer-7 firewalls without NAT and VPN termination. In the near future, we will see products marketed as firewalls that will be able to filter as generally as layer 3, and as granularly as layer 7. Layer-7 firewalling isn’t unheard of, but in practice it’s hard to implement. Filtering on a finite set of ports or IP addresses is simple compared to firewalls that filter on portions of an HTTP header or specific functions of an IM protocol. The evolution of the firewall is directly tied to the ease with which these filters can be created and managed. One interesting aspect of these changes will be the speed. It took quite awhile for the firewall to graduate to an appliance. Years of maintaining Solaris systems running Firewall-1, NT servers running Raptor, or *nix systems running the packet filter du jour dance through my head. Firewalls built on a server platform are a liability, plain and simple. The underlying OS isn’t specifically built to run the firewalling code, and the system has spinning disk, hopefully redundant, but still there. The time it takes to condense the extreme functionality of the new firewalls into an embedded device will hopefully be much shorter than the last evolution, since the benefits are equal, if not greater.Today’s random audio track: Friday Afternoon In The Universe from the album “Friday Afternoon in the Universe” by Medeski Martin and Wood