RE: Corporate H/N IPS

[David Lang <david.lang () digitalinsight com>]

I'm not sure I would buy that application proxy firewalls are inherently
harder to run.

now looking at what's currently on the market I could believe that what's
currently being sold as application proxy firewalls are slightly harder to
run, but I think there are bigger reasons people don't run them

1. the two biggest application firewalls have been sold at least once in
the last couple of years (Gauntlet and Raptor), leading to support
problems during the transition (support problems that have gotten bad
enough to drive away loyal customers)

2. the perception that they aren't 'fast enough' (people run raptor on
windows and get > 200Mb throughput, how fast do you really need to be?)

3. market share (after all if all the other companies are running SPF
firewalls why should we buy anything else)

4. with a good application proxy firewall it's hard to say 'well, just let
everything through for now and we'll tighten it up later'

David Lang

 On Sun, 15 Dec 2002, Bill Royds wrote:

> Date: Sun, 15 Dec 2002 13:22:14 -0500
> From: Bill Royds <broyds () rogers com>
> To: Fritz Ames <fritzames () earthlink net>, firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Corporate H/N IPS
>
> I think the problem is that so many corporate networks are behind a stateful inspection firewall (PIX or FW-1) which 
> has not been able to protect them from layer 7 attacks. To avoid admitting that the firewall is inadequate and should 
> be replace, they can argue for an Intrusion Prevention system inside of the firewall to help control their risks. If 
> this were called a firewall, they would have great difficulty selling it to management ("I thought we already had a 
> firewall"), but calling it something else allows them to get the goodies.
>    I would guess that a lot of the IPS market is to organisations that buy market leaders and buzzword compliant 
> products without really examining their actual needs.
>   I keep on thinking that Checkpoint and ISS would make a good set of merger partners. What one does, the other 
> doesn't and they both lead the market with their products.
>
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Fritz
> Ames
> Sent: Sun December 15 2002 10:57
> To: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] Corporate H/N IPS
>
>
>       I have two concerns, promises and promises.  Is it consesus that
> "Intrusion Prevention System" is a term devised to create a
> market--instead of creating a solution to a problem in order to satisfy
> a market?  (It *is* cheaper to dream of product-differentiating terms,
> and feature names, than to actually make products accomplish anything
> that would be differentiating.)  Is it also agreeable to say that
> application proxies are harder to support and administer than packet
> filters?  Is it still fact that IDS's need a lot expertise, care, and
> feeding to avoid their being turned off or ignored?  Don't "IPS" vendors
> pitch their solutions as being superior because they can do what IDS's
> and application-level firewall's can do?  I feel that I have been told
> that products falling in the "IPS" category will cure all of my ills
> with no significant burden to keep them going, despite the fact that
> they combine two worlds that require expertise and to install and
> maintain.  (My experience keeps failing me, as I find them a lot of
> work.  'Could just be me, and not being able to devote my time to them
> 100%.)  The promises of new "product categories" like IPS's appear only
> good for obfuscation of what products actually do--therefore making
> competition on function and price much more difficult.  The false
> promises by some also make it more difficult for legitimate and solid
> innovations to compete (because they are competing with vaporware or
> marketingware or, more accurately, lies.)  So, what to do?  Am I wrong?
>
>
> Thank you,
>
> Fritz
>
> (Sorry for offering kerosene without offering solutions, but I have to
> start somewhere...)
>
>
>
>
> Crispin Cowan wrote:
> > Talisker wrote:
> >
> > > Crispin
> > > I'm not exactly in agreement with many of your points
> > No worries; that's what forums like this are for :)
> >
> > > > EXACTLY like a firewall, only they look at higher level aplication
> > > > protocols than classic packet filtering firewalls.
> > >
> > > I for one would not entrust my perimeter defense to a NIPS, however I may
> > > consider using a NIPS to look for intrusion signatures on those
> > > packets that
> > > have been passed by the firewall.  I feel they complement each other very
> > > well.
> > Neither would I. I'm not saying that products marketed as NIPS make
> > *good* firewalls. In particular, they are incomplete firewalls, because
> > they don't have the classical capability to block on IPs, ports, & such.
> > Conversely, one could also say that classical packet filters are also
> > incomplete, because they don't look at high level application traffic.
> > The composition of the two adds value to make a more complete firewall
> > system.
> >
> > None of which is new: ancient firewall design calls for an outer
> > firewall defend your DMZ, and an inner firewall to defend your LAN.
> > These firewalls would often be of different design, e.g. a packet filter
> > on the outside and a proxy firewall on the inside.
> >
> > To be clear, my claim is not that NIPS suck. My complaint is that the
> > claim that NIPS is a bold new concept is crap, and that NIPS should
> > properly be understood as an incremental improvement in firewall
> > technology.
> >
> > > I do see HIPS as different from Secure OS's they are more widely
> > > available to all, deployable with minimal impact on an existing
> > > network and
> > > enterprise aware out of the box.
> > Again, this is an incremental improvement on an old concept. A retro-fit
> > security enhancement package fitted onto an existing OS to make it a
> > secure OS. Olde schoole secure OS people will rant about how much less
> > cost-effective it is to retro-fit security, and they may be right, but
> > that's what it is. We built one (Immunix) because I thought it was
> > interesting, and because the economics of the cost of wholesale
> > replacement of operating systems dwarf the cost benefits of designing in
> > security vs. retrofitting it.
> >
> > > > True: "intrusion detection" is what you call it when your detector is so
> > > > slow or imprecise that it cannot be used for prevention.
> > >
> > > IDS can be a little hit and miss, I've had to switch some off because
> > > they
> > > were so inadequate.  However, I have also used others to good effect they
> > > have saved my network on many occasions.
> > Again, I'm not saying that IDS has no value, just that its value needs
> > to be understood. Both Intrusion Preventers and Intrusion Detectors are
> > looking at traffic/operations, and trying to distinguish good from bad.
> > If the distinction can be done precisely (nearly zero false positives)
> > and in real time (before the traffic/operation completes) then it can be
> > used for access control. If the distinction is heuristic (has a real
> > false positive rate) or is slow (makes the distinction long after the
> > traffic/operation completes) then you use it for detection instead of
> > prevention.
> >
> > The trade off for detection is that detectors can detect much more
> > subtle intrusions. They can infer attacks comprised of legitimate
> > operations that would have passed access control. They can spend more
> > time on analysis. This is why you have detection in addition to your
> > access controls/prevention stuff.
> >
> > Crispin
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards