Firewall Wizards mailing list archives
RE: IPS (was: Sources for Extranet Designs?)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 26 Feb 2004 17:00:00 -0500
Stiennon,Richard wrote:
Network IPS: An inline device that assembles packets into streams or sessions and parses them.
So far, that's a "firewall" - the first firewalls did all that inherently since they were proxies. The second-generation firewalls with "transparent proxies" did the same thing but with less impact on the user experience. It was the third-generation "network layer" firewalls (pix, Checkpoint) that stepped away from full stream reassembly and termination and switched to "stateful inspection" - which was actually less stateful than a proxy (at both TCP and layer 7) but you gotta hand it to those CheckPoint marketing guys. They really earned their stock options with that one...
Multiple methodologies to determine malicious intent. Usually includes signature, protocol anomaly, behavior and flow capabilities.
Many first generation proxy firewalls did this, too. DEC SEAL had a rate limiter feature that would saw off a connection that attempted to tunnel outgoing traffic over an FTP command stream or TELNET session. Protocol anomaly detection was inherent in most if not all of the early proxy firewalls. I know SEAL and Gauntlet both did exhaustive checks for protocol errors and violation attempts in SMTP, HTTP, and FTP. You can call 'em "signatures" or "protcol anomaly" but I can tell you that Gauntlet and SEAL each did several dozen checks for malicious intent. Dozens of signatures is low by today's marketing numbers but we're talking starting this in 1991.
The ability to drop sessions associated with attacks. Note, this is dramatically different than a firewall that can close *connections* based on source-destination-port.
No it's not!!!! At least DEC SEAL, Tis Gauntlet, MilkyWay BlackHole, Raptor Eagle, Secure Computing Sidewinder, and Harris Cyberguard all had these capabilities - some as early as 1991 and all of them by 1994. What did these devices have in common? They were all - firewalls. Sounds like you've defined "Intrusion Prevention" as a "first generation proxy firewall" OK, OK, I'm just jerking your chain. Intrusion Prevention CAN'T be something as simple and stupid and ancient as a firewall that detects and closes sessions based on application layer attack detection. That's not sexy, is it? And sexing up and hyping stuff is your job, isn't it? Those startups' marketing departments aren't gonna pay Gartner big bucks to put them on the proxy firewall magic quadrant, are they?
Definitions are often helped out by a set of reference vendors. In my mind, Tippingpoint, TopLayer, Radware, NAI Intrushield, Netscreen IDP, Reflex Security and even Checkpoint Intrespect all fit this definition.
In terms of your "definition" probably 90% of the firewall products that have ever been on the market are IPS.
Host IPS: A software shim (firewall) that sits between the kernel and the application. System calls are intercepted and blocked if they are outside the "allow" policy.
This sounds like *EVERY* antivirus product on the market, and that has ever been on the market, since the first antivirus product latched a DOS interrupt.
Much simpler space with only three vendors, Cisco Secure Agent (was Okena), NAI Entercept, and Sana Security. A start up called Araksha is also looking at this space but they go much deeper into the application at run time.
What about the stack-based shims like Network Ice, Tiny Trojan Trap, even ZoneAlarm, that handle network traffic inline and also are aware of application state?
The firewall vendors are excited by IPS because it is a product that can be deployed deep inside a network.
Everyone is excited about IPS because Gartner has hyped the hell out of it and Gartner's own analysts (apparently) can't come up with a decent definition of what it is. I'll tell you what it is: it's hype. That's all. The firewall vendors are excited about IPS because it's offering them a chance to re-brand existing stuff, write some new marketing glossies, and try to sell their firewalls on the interior of the network. Guess what? We (us old-timer security guys) have been telling customers forever that internal firewalls are a good idea. You can call it IPS or you can call it a firewall but it's gonna do the same thing and it's gonna be just as tough a sell for the enterprise. IDS vendors are "excited" about IPS because Gartner "researchers" announced that their products are obsolete and useless while simultaneously hyping a market concept that has no real distinctions from that which has gone before it. So all the IDS vendors are having to react to Gartner's ex cathedra pronouncements because their customers have bean-counters and senior management that are still so technically illiterate that they take Gartner research as gospel. In other words, Gartner has created a self-fulfilling circle-jerk.
Initial traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on "academic freedom".
Since we've got you here, maybe you can give us an idea of how many universities are doing IPS inline? When Gartner announced IDS was dead and long live IPS I was unable to find a *SINGLE* organization that was actually running an Intruvert (the product Gartner claimed was the best) inline. Nobody on this list (which encompasses a fairly large body of security practitioners) came forward, either. Who is doing IPS inline and how in the heck is that different from a firewall? Anyone on the list care to corroborate this?
Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file sharing) at universities.
Anyone on the list care to corroborate this? mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IPS (was: Sources for Extranet Designs?) Stiennon,Richard (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- <Possible follow-ups>
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS Gary Flynn (Feb 26)
- Re: Re: IPS David Thiel (Feb 26)
- Re: Re: IPS Gary Flynn (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)