Re: IPS vs. Firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Phil Albacore wrote:
> They've heard that IPS sensors can be used to block traffic, so they've got it in their heads that we don't need a 
> firewall anymore.

I'd suggest you have them ask a few of the IPS vendors if they recommend
using their product in that manner. Unless you're talking to the IPS vendors
that are basically selling a firewall+signatures (like a "deep packet inspection"
firewall) they will backpedal away from that very rapidly. Perhaps your
path of least resistance is to tell them that you want one of the new
generation "IPS firewalls" then you can turn off the IPS crap (which
won't do anything except slow the firewall down, anyhow) and use the
firewall rules. The only problem with that is that most of the IPS firewalls
are little more than a cheesy "stateful" packet filter with a few dozen
signatures hammered into the packet forwarder loop. I'd be being
uncharacteristically generous if I said that they "suck" - they're not
nearly that good.

I've got to thank you for asking the question; it made me look at a few of
the IPS vendor claims to see if many of them have the guts to say they
replace a firewall. I particularly got a chuckle out of Intruvert's (now NAI)
claim that they protect against encrypted attacks. I needed some yuks
to lighten up my morning!!

I quote: " McAfee IntruShield delivers comprehensive protection against
today’s constantly evolving threats, including known, zero-day, and
encrypted attacks."
Wow -- that does sound pretty good. I guess you don't need a firewall
after all!!

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards