RE: Sources for Extranet Designs?

["Marcus J. Ranum" <mjr () ranum com>]

Wes Noonan wrote:
> IPS would be a no brainer for me in this scenario.

I. Hate. To. Admit. It. But. You. May. Be Right.

IPS hype aside, and ignoring what the Gartner idiots think,
there's a conceptual value to the IPS concept. Basically, a
firewall implements one of 2 policies:
        - Permit
        - Deny

IPS (i.e.: a signature-based firewall) adds a third option to the
policy matrix:
        - Permit
        - Deny
        - Permit it as long as it is not obviously abusive (e.g.: signature
                hasn't fired)

That's actually kind of cool. It means you can set up a connection
for your business partner and let the traffic (for the minimum subset of
services needed, of course!) go through. Then if the business
partners generate traffic that is abusive or appears abusive you
have useful information that you can further use to diagnose what
they are doing. "Hey, mister outsourcer, why are you Nmapping
my network?"

Of course since IPS is signature-based you're going to have the
same kind of issues with false positives as you have with an IDS.
But, since your business partners (in theory) should be communicating
with you in a pretty plain vanilla manner, it should work OK.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards