Firewall Wizards mailing list archives
Re: Intrusion Prevention Firewall
From: Crispin Cowan <crispin () wirex com>
Date: Sat, 30 Mar 2002 12:24:53 -0800
Stiennon,Richard wrote:
Whoa guys, I think you are way off base here. ...I get the concept. But it is precisely the labeling of this marginal improvment in firewalls as "intrusion prevention" that I object to. This is just a nice little increment in firewall technology. It is not "intrusion prevention" any more than classical firewalls are. IMHO, it is just confusing to consumers to give a big new name to a minor improvement in a classic approach.The technology introduced by OneSecure, Tippingpoint, and Intruvert in recent weeks is way different. They have expanded the concept of stateful inspection to help with the through-put issue. Instead of attempting to do a 100% comparison of every signature with every packet they only comparerelevant portions of a stream to relevant signatures.When a match is made (or an anomaly detected) the device just drops the session. There is no rule added that blocks access from a source. You could hack away at my web server all day from AOL and I would drop your attempts (those using known hacks) while still allowing all of AOL to see my webpages.
"Introduced" is kinda funny too: I encountered this idea about three years ago. IIRC that chat, the claim was that various IDSs would feed event info to (say) a Check Point firewall, which would adjust its rules in response. The distinction between blocking an attacking host and dropping a session is a nuance, at best, and I'm not convinced it is an improvement :-)
Host hardening systems from the likes of Okena, and Entercept are different from Firewalls + AV too.And Immunix, which has been doing what you call "host hardening", and what we call "intrusion rejection" for Linux since 1998, thankyouverymuch :) We regard intrusion rejection as distinct from host hardening:
* host hardening: turning off un-needed services to reduce vulnerability, at the expense of functionality (what if you really want a finger daemon? :) * intrusion rejection: instrumenting the applications themselves so that they can reject intrusion attempts, e.g. StackGuard (resists buffer overflow attacks), FormatGuard (resists printf format string attacks), and RaceGuard (resists temp file race attacks).
This is a sea change in defensive technologies folks. It breaks away from the more-better-faster IDS camp.I question the significance of this "change". The source of most attacks are machines that were previously hacked. Whether your adaptive attack drops the session or blocks the attacking host doesn't make much difference: the attacker will just switch to some other hacked host that they "0wn".
By analogy, it is kind of like an adaptive flak jacket. Great, you can program it to stop .308 bullets, but that doesn't stop the attacker from hitting you with .30-06. Selective immunity is good against non-intelligent attacks (biological diseases & computer viruses) but is not so good against attackers who can *also* adapt their attacks to your defenses.
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
- RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
- Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)