Re: Intrusion Prevention Firewall

[Crispin Cowan <crispin () wirex com>]

Stiennon,Richard wrote:

> Whoa guys, I think you are way off base here. 
> ...
> The technology introduced by OneSecure, Tippingpoint, and Intruvert in
> recent weeks is way different. They have expanded the concept of stateful
> inspection to help with the through-put issue. Instead of attempting to do a
> 100% comparison of every signature with every packet they only compare
> relevant portions of a stream to relevant signatures. 
>
> When a match is made (or an anomaly detected) the device just drops the
> session. There is no rule added that blocks access from a source. You could
> hack away at my web server all day from AOL and I would drop your attempts
> (those using known hacks) while still allowing all of AOL to see my web
> pages. 
I get the concept. But it is precisely the labeling of this marginal 
improvment in firewalls as "intrusion prevention" that I object to. This 
is just a nice little increment in firewall technology. It is not 
"intrusion prevention" any more than classical firewalls are. IMHO, it 
is just confusing to consumers to give a big new name to a minor 
improvement in a classic approach.

"Introduced" is kinda funny too: I encountered this idea about three 
years ago.  IIRC that chat, the claim was that various IDSs would feed 
event info to (say) a Check Point firewall, which would adjust its rules 
in response. The distinction between blocking an attacking host and 
dropping a session is a nuance, at best, and I'm not convinced it is an 
improvement :-)

> Host hardening systems from the likes of Okena, and Entercept are different from Firewalls + AV too. 
And Immunix, which has been doing what you call "host hardening", and 
what we call "intrusion rejection" for Linux since 1998, 
thankyouverymuch :) We regard intrusion rejection as distinct from host 
hardening:

   * host hardening:  turning off un-needed services to reduce
     vulnerability, at the expense of functionality (what if you really
     want a finger daemon? :)
   * intrusion rejection: instrumenting the applications themselves so
     that they can reject intrusion attempts, e.g. StackGuard (resists
     buffer overflow attacks), FormatGuard (resists printf format
     string attacks), and RaceGuard (resists temp file race attacks).


> This is a sea change in defensive technologies folks. It breaks away from the more-better-faster IDS camp. 
I question the significance of this "change". The source of most attacks 
are machines that were previously hacked. Whether your adaptive attack 
drops the session or blocks the attacking host doesn't make much 
difference: the attacker will just switch to some other hacked host that 
they "0wn".

By analogy, it is kind of like an adaptive flak jacket. Great, you can 
program it to stop .308 bullets, but that doesn't stop the attacker from 
hitting you with .30-06. Selective immunity is good against 
non-intelligent attacks (biological diseases & computer viruses) but is 
not so good against attackers who can *also* adapt their attacks to your 
defenses.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards