Firewall Wizards mailing list archives
Re: IPS
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 26 Feb 2004 18:46:15 -0500
Marcus J. Ranum wrote:
Stiennon,Richard wrote:Since we've got you here, maybe you can give us an ideaInitial traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on "academic freedom".of how many universities are doing IPS inline? When Gartner announced IDS was dead and long live IPS I was unable to find a *SINGLE* organization that was actually running an Intruvert (the product Gartner claimed was the best) inline. Nobody on this list (which encompasses a fairly large body of security practitioners) came forward, either. Who is doing IPS inline and how in the heck is that different from a firewall? Anyone on the list care to corroborate this?
( I wonder if I'm getting hooked here ) I know of a few universities that have them installed and we'll have a couple installed here in the next few weeks. I was looking at them way before Gartner's report. In fact, I think I was asking about them on this list a couple years ago when there was only one product on the market...Onesecure. I got sick of watching Snort reports tell me about things that could have been easily been blocked with an inline device. One packet blocked is one less packet I have to defend against. The other billion will keep me plenty busy. It has much less to do with academic freedom than it does with adding an extra layer of security around an open network. Today's non-proxy firewalls can enforce a rather coarse security policy. A blocking IDS engine, whether implemented in a firewall like Checkpoint's SmartDefense or a standalone, inline "IDP" product, can get more granular. More to the point, some of them can more easily be configured to address current, specific threats in a timely manner without resorting to an out and out block of a particular service. At least that is where I see their primary value. I sometimes write Snort rules to detect exploits of recently announced vulnerabilities or to detect suspicious activity for followup. Would I put them into operation as a blocking rule? Some of them. That gives me some additional flexibility to block some known, malicious activity while still allowing a class of communications that may be valuable to some segment of our population. Remember that is why networks were invented. If security was the primary requirement, we'd use your ultimate firewall. :) Also remember that a lot of university networks are basically ISPs to students who live on their network using what are basically home computers. In fact, 70-80% of the computers on those "university networks" are actually home computers. The problems we've seen there have often been precursors to what later happens on broadband home connections...a place where proxy firewalls would be a bit difficult to install. :) An IDP may provide configuration management processes a little more time to work at getting systems upgraded or reconfigured in the face of a new threat. Are these "IDP devices" as secure for a particular service as a well-written, proxy firewall would be? Probably not. Particularly for services needing an encryption boundary like HTTPS. But past proxy firewalls are limited in supported services, have questionable depth to their understanding of the underlying service, and aren't amenable to a more or less open network. And they certainly don't help to allow innovative, new services to be developed and used if they refuse to pass unsupported services. (Yes, I know, that can be two-pronged.) Yeah, from a security standpoint, I'd rather install in-depth, versatile, programmable proxy firewalls for every service we allow (in front of every system :). But I don't know of one. The Internet was designed and owes much of its rapid innovations to the concept of a dumb communications network with intelligence at its endpoints. Admittedly, that architecture, and especially its assumption of (trusted?) intelligence at its endpoints, has resulted in a wealth of problems. And it may be that it cannot survive in its present format (http://falcon.jmu.edu/~flynngn/whatnext.htm). Anyone looking for a miracle box (firewall, IDP, appliance, VPN, IPSEC, Trusted Computing Platform, etc.) that is going to solve the problems associated with its underlying architectural weaknesses and assumptions is just fooling themselves. I just want another tool, the inline IDP, to *help* me survive the current lawless, chaos until we all digress into balkanized networks or some major changes are made. Do I think they make us immune? Of course not. They merely raise the fence a fraction higher. Just like AV, mail filters, patches, VPNs, encryption, access controls, and other security measure. Are IDPs the be all and end all of intrusion prevention. Of course not. Is the name unfortunate? Certainly. The lock on my door is an Intrusion Prevention Device. But the concept is valid and, if expectations are inline with reality, I think they'll provide a useful function albeit with the usual cost of maintaining and monitoring yet another defensive layer.
Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file sharing) at universities.Anyone on the list care to corroborate this?
I don't know about that. I think some IDPs claim some traffic shaping capabilities but I think products like Packeteer's Packetshaper have more sophisticated capabilities in that realm. In any case, traffic shapers, NIDS/NIDP, and deep packet inspection firewalls are going to eventually go the way of the dodo unless they're set up behind a common encryption border. When everything looks like HTTPS, their value will be limited as far as data inspection is concerned. -- Gary Flynn Security Engineer - Technical Services James Madison University _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IPS (was: Sources for Extranet Designs?) Stiennon,Richard (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- <Possible follow-ups>
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS Gary Flynn (Feb 26)
- Re: Re: IPS David Thiel (Feb 26)
- Re: Re: IPS Gary Flynn (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)