Re: Intrusion Prevention Firewall

["Marcus J. Ranum" <mjr () nfr com>]

Gary Flynn wrote:
> Perhaps my understanding is naive. I've always thought of firewalls as
> blindly blocking protocols, addresses, or unsolicited connection 
> attempts according to policy.

That's what firewalls are like, now, yes. Earlier firewalls tried
to do protocol correctness verification (does that sound familiar...?)
and would deny things that appeared malformed or potentially hostile
because they didn't match the RFCs reasonably well.

> More of a risk management device minimizing
> access based on "traffic profiling" if you will, than a device which makes 
> decisions about the hostility of a particular piece of traffic.

Right. You're 100% correct. But that's mostly because firewalls
are lame. :) What most people are calling intrusion prevention
these days would be a pro-active security system that does some
kind of content analysis. I.e.: a "good firewall" ;)

> I've thought of IDS systems as devices able to determine the
> hostility of a particular piece of traffic, but, unfortunately,
> mostly as a passive monitor of the process.

Yeah, that's how they've turned out to be. :) I see the
process of firewalling and intrusion detection as very
closely related. The firewall blocks and does not diagnose.
The IDS diagnoses and does not block. Obviously, the "smart"
thing would be to combine the 2 and do it effectively.

> I'd consider an intrusion prevention system to be one as smart as an IDS 
> with the capability to block associated traffic like a firewall.

Exactly. Which is what I meant when I referred to them as
firewalls and antivirus with a fresh coat of paint. :) I could
have said "firewalls that don't suck" but that would have
seemed a bit negative. :)

> So I'd be 
> able to allow incoming FTP, telnet, and ssh but the device would stop 
> buffer overflow attempts.

Early firewalls actually did that kind of stuff. :) But for
performance reasons everyone went towards simplistic
packet-oriented access controls. 

> Proxy based firewalls are probably the closest
> to what I'm looking for but I was under the impression that they
> don't have as wide an understanding of intrusion signatures as do IDS 
> boxes and the number of protocols supported by proxies are limited.

Again, exactly correct. Proxy firewalls had the failing that
they didn't diagnose the attacks they blocked. I actually had a
bunch of hooks in some of the early proxy firewalls that I took
_out_ because too many users emailed to ask "what does THIS mean?"
In retrospect, I believe that 99% of the 'value' of IDS is in
their ability to diagnose and categorize. Nobody cares to know
if they have a bunch of weird data: they want to know what it _MEANS_.
Proxy firewalls were perfectly positioned to do that but they
never did. If I knew then what I know now, attempts to talk past
the proxy would have triggered it dropping into an emulation mode
that would record and categorize the hackers' actions instead of
just discarding their connection. :)

> Am I hopelessly misinformed or outdated?

Not at all. I was probably just writing incoherently or being
too oblique.

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                    http://www.nfr.com
Personal:                http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards