Re: IPS

[Gary Flynn <flynngn () jmu edu>]

Marcus J. Ranum wrote:

> Stiennon,Richard wrote: 
> > Initial traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on 
> > "academic freedom".
>  
> Since we've got you here, maybe you can give us an idea
> of how many universities are doing IPS inline?    When Gartner
> announced IDS was dead and long live IPS I was unable to find
> a *SINGLE* organization that was actually running an Intruvert
> (the product Gartner claimed was the best) inline. Nobody on
> this list (which encompasses a fairly large body of security
> practitioners) came forward, either. Who is doing IPS inline and
> how in the heck is that different from a firewall?
>
> Anyone on the list care to corroborate this?

( I wonder if I'm getting hooked here )

I know of a few universities that have them installed and we'll
have a couple installed here in the next few weeks. I was
looking at them way before Gartner's report. In fact, I think
I was asking about them on this list a couple years ago when
there was only one product on the market...Onesecure. I got sick
of watching Snort reports tell me about things that could
have been easily been blocked with an inline device. One
packet blocked is one less packet I have to defend against.
The other billion will keep me plenty busy.

It has much less to do with academic freedom than it does with
adding an extra layer of security around an open network. Today's
non-proxy firewalls can enforce a rather coarse security policy.
A blocking IDS engine, whether implemented in a firewall like
Checkpoint's SmartDefense or a standalone, inline "IDP" product,
can get more granular. More to the point, some of them can more
easily be configured to address current, specific threats in
a timely manner without resorting to an out and out block of
a particular service. At least that is where I see their primary
value. I sometimes write Snort rules to detect exploits of
recently announced vulnerabilities or to detect suspicious
activity for followup. Would I put them into operation as a
blocking rule? Some of them. That gives me some additional
flexibility to block some known, malicious activity while still
allowing a class of communications that may be valuable to some
segment of our population. Remember that is why networks were
invented. If security was the primary requirement, we'd use
your ultimate firewall. :)

Also remember that a lot of university networks are basically
ISPs to students who live on their network using what are
basically home computers. In fact, 70-80% of the computers on
those "university networks" are actually home computers. The
problems we've seen there have often been precursors to what
later happens on broadband home connections...a place where
proxy firewalls would be a bit difficult to install. :)

An IDP may provide configuration management processes a little
more time to work at getting systems upgraded or reconfigured
in the face of a new threat.

Are these "IDP devices" as secure for a particular service as
a well-written, proxy firewall would be? Probably not.
Particularly for services needing an encryption boundary like
HTTPS. But past proxy firewalls are limited in supported
services, have questionable depth to their understanding of
the underlying service, and aren't amenable to a more or less
open network. And they certainly don't help to allow innovative,
new services to be developed and used if they refuse to pass
unsupported services. (Yes, I know, that can be two-pronged.)

Yeah, from a security standpoint, I'd rather install in-depth,
versatile, programmable proxy firewalls for every service
we allow (in front of every system :). But I don't know of one.

The Internet was designed and owes much of its rapid innovations
to the concept of a dumb communications network with intelligence
at its endpoints. Admittedly, that architecture, and especially
its assumption of (trusted?) intelligence at its endpoints, has
resulted in a wealth of problems. And it may be that it cannot
survive in its present format
(http://falcon.jmu.edu/~flynngn/whatnext.htm).

Anyone looking for a miracle box (firewall, IDP, appliance, VPN,
IPSEC, Trusted Computing Platform, etc.) that is going to solve
the problems associated with its underlying architectural
weaknesses and assumptions is just fooling themselves. I just
want another tool, the inline IDP, to *help* me survive the
current lawless, chaos until we all digress into balkanized
networks or some major changes are made.

Do I think they make us immune? Of course not. They merely
raise the fence a fraction higher. Just like AV, mail
filters, patches, VPNs, encryption, access controls, and other
security measure.

Are IDPs the be all and end all of intrusion prevention.
Of course not. Is the name unfortunate? Certainly. The
lock on my door is an Intrusion Prevention Device. But
the concept is valid and, if expectations are inline
with reality, I think they'll provide a useful function
albeit with the usual cost of maintaining and monitoring
yet another defensive layer.

> > Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file sharing) at universities. 
>
>
> Anyone on the list care to corroborate this?

I don't know about that. I think some IDPs claim some traffic
shaping capabilities but I think products like Packeteer's
Packetshaper have more sophisticated capabilities in that
realm.

In any case, traffic shapers, NIDS/NIDP, and deep packet
inspection firewalls are going to eventually go the way
of the dodo unless they're set up behind a common
encryption border. When everything looks like HTTPS, their
value will be limited as far as data inspection is concerned.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards