Firewall Wizards mailing list archives
Re: Intrusion Prevention Firewall
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Fri, 29 Mar 2002 13:53:52 -0500
Gary Flynn wrote:
Perhaps my understanding is naive. I've always thought of firewalls as blindly blocking protocols, addresses, or unsolicited connection attempts according to policy.
That's what firewalls are like, now, yes. Earlier firewalls tried to do protocol correctness verification (does that sound familiar...?) and would deny things that appeared malformed or potentially hostile because they didn't match the RFCs reasonably well.
More of a risk management device minimizing access based on "traffic profiling" if you will, than a device which makes decisions about the hostility of a particular piece of traffic.
Right. You're 100% correct. But that's mostly because firewalls are lame. :) What most people are calling intrusion prevention these days would be a pro-active security system that does some kind of content analysis. I.e.: a "good firewall" ;)
I've thought of IDS systems as devices able to determine the hostility of a particular piece of traffic, but, unfortunately, mostly as a passive monitor of the process.
Yeah, that's how they've turned out to be. :) I see the process of firewalling and intrusion detection as very closely related. The firewall blocks and does not diagnose. The IDS diagnoses and does not block. Obviously, the "smart" thing would be to combine the 2 and do it effectively.
I'd consider an intrusion prevention system to be one as smart as an IDS with the capability to block associated traffic like a firewall.
Exactly. Which is what I meant when I referred to them as firewalls and antivirus with a fresh coat of paint. :) I could have said "firewalls that don't suck" but that would have seemed a bit negative. :)
So I'd be able to allow incoming FTP, telnet, and ssh but the device would stop buffer overflow attempts.
Early firewalls actually did that kind of stuff. :) But for performance reasons everyone went towards simplistic packet-oriented access controls.
Proxy based firewalls are probably the closest to what I'm looking for but I was under the impression that they don't have as wide an understanding of intrusion signatures as do IDS boxes and the number of protocols supported by proxies are limited.
Again, exactly correct. Proxy firewalls had the failing that they didn't diagnose the attacks they blocked. I actually had a bunch of hooks in some of the early proxy firewalls that I took _out_ because too many users emailed to ask "what does THIS mean?" In retrospect, I believe that 99% of the 'value' of IDS is in their ability to diagnose and categorize. Nobody cares to know if they have a bunch of weird data: they want to know what it _MEANS_. Proxy firewalls were perfectly positioned to do that but they never did. If I knew then what I know now, attempts to talk past the proxy would have triggered it dropping into an emulation mode that would record and categorize the hackers' actions instead of just discarding their connection. :)
Am I hopelessly misinformed or outdated?
Not at all. I was probably just writing incoherently or being too oblique. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Intrusion Prevention Firewall Gary Flynn (Mar 16)
- Re: Intrusion Prevention Firewall Mark Renouf (Mar 17)
- Re: Intrusion Prevention Firewall Inno Eroraha (Mar 29)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall Stiennon,Richard (Mar 17)
- FW: Intrusion Prevention Firewall franks (Mar 17)
- Re: FW: Intrusion Prevention Firewall Gary Flynn (Mar 29)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Mar 29)
- RE: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
- Re: Intrusion Prevention Firewall Gary Flynn (Mar 29)
- Re: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
- RE: Intrusion Prevention Firewall Dave Piscitello (Mar 29)
- Re: Intrusion Prevention Firewall Crispin Cowan (Mar 29)
- RE: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
- RE: Intrusion Prevention Firewall Stiennon,Richard (Mar 30)