Firewall Wizards mailing list archives
Re: IPS (was: Sources for Extranet Designs?)
From: Bennett Todd <bet () rahul net>
Date: Thu, 26 Feb 2004 16:31:08 -0500
I'll take a swing at the definition. First off, sure, it's a lot of marketing blither. But so far the gizmos I've seen marketed as IPS are signature-based Intrusion Detection Systems (IDSes) garnished with some mechanism for blocking the traffic. Passthrough devices, that act like routers or bridges and refuse to pass packets that match sigs are a common pattern, there are others. I used to think the class of device "IPS" was completely useless. It's a subset of "firewall", under the definition (mjr's?) "a control system installed at a network choke point, commonly between nets with different security stances, to provide traffic control and/or monitoring". For most purposes, they're weak firewalls. A strong firewall refuses to pass prohibited traffic. An IPS has to get lucky. But recently I've come to realize that in some really really nasty situations, where an unchangeable external policy forces you to permit dangerous traffic to transit a traditional firewall, an IPS can be a valuable additional layer of defense. The classic situation seems to be, you can neither outlaw use of poorly-designed client apps, nor impose sufficiently draconian content type blocking to prevent them from providing a gateway of attack. For email, the traditional band-aid is a signature-based virus-scanner. For http there are some proxies that can do deep content analysis. But for all the zillions of other nightmares sprouting like mushrooms from the brainpans of irresponsible programmers (instant messaging, distributed collaboration apps, ...) an IPS can provide a somewhat protocol-generic engine that stands a chance of spotting signatures of common attack bases --- trampoline code, specific exploit code fragments, etc. --- for protocols for which you don't have a robust application-level proxy with suitable controls and analysis. So I still don't like 'em much, for most settings, but there do seem to be occasions when they can add value. Very unpleasant occasions. -Bennett
Attachment:
_bin
Description:
Current thread:
- RE: Sources for Extranet Designs?, (continued)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Jim Seymour (Feb 23)
- RE: Sources for Extranet Designs? Mitchell Rowton (Feb 23)
- RE: Sources for Extranet Designs? Steven A. Fletcher (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
- RE: Sources for Extranet Designs? Chris Blask (Feb 24)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christian Kreibich (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Bennett Todd (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Frederick M Avolio (Feb 26)
- RE: Sources for Extranet Designs? Don Parker (Feb 24)