Firewall Wizards mailing list archives
Re: IPS (was: Sources for Extranet Designs?)
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 26 Feb 2004 19:08:17 -0500
Paul Robertson wrote:
On Thu, 26 Feb 2004, Marcus J. Ranum wrote:Can you explain how these "signatures" and "protocol anomaly" detectors and "behavior and flow capabilities" are going to NOT suffer all the problems with false positives that caused Gartner to announce that IDS was a failure?It's worse, IMO- I think IPS is the loss of default deny/principle of least priv. - so rather than strengthening rulesets to stop more bad stuff, we're back to the "prove it's bad, then we block it" mentality- that's never worked for security before, and I don't see how it's going to work now. It's no wonder proponents are touting universities (apologies to the .edu admins on this list who've overcome those battles the hard way)- where the prove it bad mentality has had it's best survival rate.
Hmmm, it sounds like you're assuming that universities have or had a default deny rule. :) As I mentioned in my previous response, we're basically a broadband ISP provider to 70-80% of the computers on our network - student home computers. While a default deny rule might be a good corporate strategy with limited and well-defined communications needs, it doesn't play well to the average home user...whether their Internet connection is provided by a university network or a commercial broadband home connection. I get complaints because I make games slow or unusable. :( And yeah, we could certainly do more in that realm in the non-student areas, and yeah, "academic freedom" is often overused as an excuse, but we do have different needs than a less fluid organization. That said, we've had several discussions about how we'd implement a general default deny rule recently. And we do have default deny rules in interior portions of the network.
Now that we've actually gotten back to the point where firewalls are capable of doing application layer decisions, it seems rather silly to toss that back out again and go with yet-another-miracle.
On what applications? Certainly not all the ones I see go through our Internet connections. Can you write your own inspection rules for the typical firewall? -- Gary Flynn Security Engineer - Technical Services James Madison University _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IPS (was: Sources for Extranet Designs?), (continued)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS Gary Flynn (Feb 26)
- Re: Re: IPS David Thiel (Feb 26)
- Re: Re: IPS Gary Flynn (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 29)