Re: IPS (was: Sources for Extranet Designs?)

[Paul Robertson <proberts () patriot net>]

On Thu, 26 Feb 2004, Gary Flynn wrote:

> > It's no wonder proponents are touting universities (apologies to the .edu
> > admins on this list who've overcome those battles the hard way)- where the
> > prove it bad mentality has had it's best survival rate.
>
> Hmmm, it sounds like you're assuming that universities have or had
> a default deny rule. :)

No, the opposite- "prove it's bad and we'll block it" seems to prevail in
academia.

> As I mentioned in my previous response, we're basically a broadband
> ISP provider to 70-80% of the computers on our network - student
> home computers. While a default deny rule might be a good corporate
> strategy with limited and well-defined communications needs, it
> doesn't play well to the average home user...whether their Internet
> connection is provided by a university network or a commercial
> broadband home connection. I get complaints because I make games slow
> or unusable. :(

Only because so many people have gone to the "prove it's bad" setting,
otherwise, we'd have application designers doing the right thing
protocol-wise.

> And yeah, we could certainly do more in that realm in the
> non-student areas, and yeah, "academic freedom" is often
> overused as an excuse, but we do have different needs than
> a less fluid organization.

Which is why universities will continue to be common abuse and seeding
targets.

> That said, we've had several discussions about how we'd implement
> a general default deny rule recently. And we do have default deny
> rules in interior portions of the network.

See, in my mind, that's progress- and the current climate is our
(collectively) best opportunity to take back ground.

> > Now that we've actually gotten back to the point where firewalls are
> > capable of doing application layer decisions, it seems rather silly to
> > toss that back out again and go with yet-another-miracle.
>
> On what applications? Certainly not all the ones
> I see go through our Internet connections.

On any application- technology-wise, we're at a point where firewalls can
actively make per-packet and more importantly per-stream decisions- now do
we have codified implementations?  Not really, but we've got from full on
proxies to packet fitlers to things that even if they're packet filters
are capable of doing inspection/rejection on higher layer protocols.

> Can you write your own inspection rules for the typical firewall?

FW-1 has had that for quite a while- though not at the stream level AFAIK.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards