Firewall Wizards mailing list archives

Re: IPS (was: Sources for Extranet Designs?)

From: Bennett Todd <bet () rahul net>
Date: Thu, 26 Feb 2004 16:31:08 -0500

I'll take a swing at the definition.

First off, sure, it's a lot of marketing blither.

But so far the gizmos I've seen marketed as IPS are signature-based
Intrusion Detection Systems (IDSes) garnished with some mechanism
for blocking the traffic. Passthrough devices, that act like routers
or bridges and refuse to pass packets that match sigs are a common
pattern, there are others.

I used to think the class of device "IPS" was completely useless.

It's a subset of "firewall", under the definition (mjr's?) "a
control system installed at a network choke point, commonly between
nets with different security stances, to provide traffic control
and/or monitoring".

For most purposes, they're weak firewalls. A strong firewall refuses
to pass prohibited traffic. An IPS has to get lucky.

But recently I've come to realize that in some really really nasty
situations, where an unchangeable external policy forces you to
permit dangerous traffic to transit a traditional firewall, an IPS
can be a valuable additional layer of defense. The classic situation
seems to be, you can neither outlaw use of poorly-designed client
apps, nor impose sufficiently draconian content type blocking to
prevent them from providing a gateway of attack. For email, the
traditional band-aid is a signature-based virus-scanner. For http
there are some proxies that can do deep content analysis. But for
all the zillions of other nightmares sprouting like mushrooms from
the brainpans of irresponsible programmers (instant messaging,
distributed collaboration apps, ...) an IPS can provide a somewhat
protocol-generic engine that stands a chance of spotting signatures
of common attack bases --- trampoline code, specific exploit code
fragments, etc. --- for protocols for which you don't have a robust
application-level proxy with suitable controls and analysis.

So I still don't like 'em much, for most settings, but there do seem
to be occasions when they can add value. Very unpleasant occasions.

-Bennett

Attachment: _bin
Description:

Current thread:

RE: Sources for Extranet Designs?, (continued)
- - - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
  - RE: Sources for Extranet Designs? Jim Seymour (Feb 23)
- RE: Sources for Extranet Designs? Mitchell Rowton (Feb 23)
- RE: Sources for Extranet Designs? Steven A. Fletcher (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
  - RE: Sources for Extranet Designs? Chris Blask (Feb 24)
  - RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 26)
    - RE: IPS (was: Sources for Extranet Designs?) Christian Kreibich (Feb 26)
    - RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 26)
    - Re: IPS (was: Sources for Extranet Designs?) Bennett Todd (Feb 26)
    - RE: IPS (was: Sources for Extranet Designs?) Frederick M Avolio (Feb 26)
- RE: Sources for Extranet Designs? Don Parker (Feb 24)