Firewall Wizards mailing list archives
RE: IPS (was: Sources for Extranet Designs?)
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 26 Feb 2004 15:06:15 +0100
Can I just jump in and ask what _exactly_ people think "IPS" means? I know I'm asking for a definition debate and we've all seen a bunch of those over the years, but I'm concerned that the "buzzword" factor has lead to compression in terms of vocab. I don't see the basic "attach an IDS to a firewall and have the firewall do stuff based on signatures" concept as amazingly useful (my personal opinion). However lots of companies are producing stuff which they are also calling IPS (us included; consider that a disclaimer). Intrusion Prevention can be done at a number of places 1. The Firewall 2. The Network (inline IPS lives here) 3. The Host (cross platform issues here!) - 3a. The Host Network level (TDI or driver stuff, where the current PFWs live) - 3b. The Host Kernel / Memory Mangement level (systrace, pax, and their windows friends) Of those places, we can work on 1. Attack Signatures (easy to evade, prone to false positives, reactive) 2. Anomaly detection (statistical stuff, less configuration, foolable) 3. Rule Based (hard to program, slower, better suited to a host model) 4. Traffic / rate based. There is a lot of technical depth to the pros and cons of each approach [1]. My own opinion is that the problem of malware, worms and the newer attack vectors (VPN, wireless, laptops etc) pretty much makes it pointless to focus too much on FW based IPS. Basically, firewalls are perimeter based, have huge problems coping with threats that are above the network level, and it's always going to be hard work to stretch their capacities. Witness the profound marketing and technical failure of the proxy firewall, for example. (ok, maybe that sounds like a troll. ;) However, even the crappiest personal firewall has a reasonable chance to contain malware by using application firewalling (this app can bind ports this one can't). The ways that is being approached today is pretty primitive, and there is a lot of work to do - yes - but it's a start. I see future potentiallllllll in an anomaly based approach which can really step in at the network level - buuut... Anyways, I'll restrict the rant, but the point is that it's an overused term, it's Gartnerised, but it's genuinely interesting. I'd love to hear some of your opinions about the viability of the various approaches - because it's fairly clear that we need _some_ new approach. ben [1] European readers with too much time on their hands could come and hear me waffle about this at Infosecurity Europe. Those of you out there who know more about this than I do are welcome to clue me up in advance. ;)
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Don Parker Sent: Tuesday, February 24, 2004 12:00 AM To: Marcus J. Ranum; Wes Noonan; 'Baumann, Sean C.'; 'R. DuFresne' Cc: 'Paul Robertson'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Sources for Extranet Designs? Yes indeed IPS is an excellent technology that is slowly maturing. There is still nothing wrong with the IDS though.
[...]
On Feb 23, "Marcus J. Ranum" <mjr () ranum com> wrote: Wes Noonan wrote:IPS would be a no brainer for me in this scenario.I. Hate. To. Admit. It. But. You. May. Be Right. IPS hype aside, and ignoring what the Gartner idiots think, there's a conceptual value to the IPS concept. Basically, a firewall implements one of 2 policies: - Permit - Deny IPS (i.e.: a signature-based firewall) adds a third option to the policy matrix: - Permit - Deny - Permit it as long as it is not obviously abusive (e.g.: signature hasn't fired)
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Sources for Extranet Designs?, (continued)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Plumbers... was Re: Sources for Extranet Designs? Gary Flynn (Feb 24)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Jim Seymour (Feb 23)
- RE: Sources for Extranet Designs? Chris Blask (Feb 24)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christian Kreibich (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Bennett Todd (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Frederick M Avolio (Feb 26)