Firewall Wizards mailing list archives
Re: Corporate H/N IPS
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 17 Dec 2002 02:07:43 -0500
Chris Boscolo wrote:
Getting back to the original thread, "what Marketing people are calling IPS is just a repackaging of application proxy Firewalls", there is no question that there are great similarities between the two. It should be noted that from a packet-flow perspective there is actually a big difference between application proxy-based firewalls and IPS that are based on NIDS systems that do TCP reassembly.
Nah, that's just an implementation detail. TCP reassembly and IP state tracking happen in decent IDS or decent proxy firewalls. The early proxy firewalls used the host systems' IP stack to implement TCP (after all, it's a perfectly good stack, why not use it...?) but they could have just as easily done the IP in userland in which case they'd look just like a NID. Honeyd actually does something pretty close to exactly that. You could make a proxy firewall where the proxies ran in kernel mode - heck, you could attach the proxy state right into the IP stack if you wanted to, but IP stacks as you point out don't handle gazillions of connections really well. But fundamentally, state tracking and TCP reassembly are a function that needs to happen to "do it right" - where it happens doesn't make much difference, as long as it happens low enough in the stack to protect the host system itself. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Corporate H/N IPS Talisker (Dec 13)
- Re: Corporate H/N IPS Crispin Cowan (Dec 13)
- Re: Corporate H/N IPS Carson Gaspar (Dec 14)
- Re: Corporate H/N IPS Talisker (Dec 14)
- Re: Corporate H/N IPS Crispin Cowan (Dec 14)
- Re: Corporate H/N IPS Fritz Ames (Dec 15)
- RE: Corporate H/N IPS Bill Royds (Dec 15)
- RE: Corporate H/N IPS David Lang (Dec 16)
- Message not available
- RE: Corporate H/N IPS Marcus J. Ranum (Dec 17)
- Re: Corporate H/N IPS Crispin Cowan (Dec 13)
- <Possible follow-ups>
- Re: Corporate H/N IPS Chris Boscolo (Dec 16)
- Re: Corporate H/N IPS Marcus J. Ranum (Dec 17)