Firewall Wizards mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: Gabriele Buratti <gabriele.buratti () netasq com>
Date: Fri, 03 Feb 2006 14:14:01 +0100
Parental advisory: explicit vendor opinions may occour in this message ! Let me show show how IPS firewall market is seen from a IPS firewall vendor perspective. I've been following this mailing list for 3 yearsand few vendor opinions popped up. I don't know if this is because it's considered a kind of advertising (thus unpolite) or what ... (in this case list admins, please drop this mail) Let me invite my competitors in a friendly discussion about this layer 7 thing :)
Here's the thing: 1) Proxy firewalls: Proxy firewalls are in theory good because they can do rfc compliance checks and "strange things won't be forwarded" approach aka the marketing "day-0 protection". More, they'll do fragment reassembly. The problems about proxies are: - performance decreased due to complete session rewrite - when used as reverse proxies for incoming connections you always have that listening ports on the proxy-firewall. Listening ports means attackable ports. 2) Firewalls with signatures: just the old IDS signatures, but now inline. The problems with signatures are: - keep the number of signatures low or it'll be a bottleneck thing (false negatives) - false positives - any variation of a know attack signature will be a new signature 3) new technologies: - reassemble the fragments in a separate space, do the checks, then if ok send the fragments (no session rewriting). - focus on the "strange things won't be forwarded", rather than signatures: faster, sharp, you can use the marketing wizard's "0-day protection" word :) - decode recursively to stop blended attacks- don't use a proxy: check on the fly and if test is passed then forward the packet (so no session rewrites and no dangerous listening ports)
Gabriele Marcus J. Ranum wrote:
I'd suggest you have them ask a few of the IPS vendors if they recommend using their product in that manner. Unless you're talking to the IPS vendors that are basically selling a firewall+signatures (like a "deep packet inspection" firewall) they will backpedal away from that very rapidly. Perhaps your path of least resistance is to tell them that you want one of the new generation "IPS firewalls" then you can turn off the IPS crap (which won't do anything except slow the firewall down, anyhow) and use thefirewall rules.
Attachment:
gabriele.buratti.vcf
Description:
Current thread:
- IPS vs. Firewalls Phil Albacore (Feb 02)
- Re: IPS vs. Firewalls ArkanoiD (Feb 02)
- Management vs. IT staff (was: Re: IPS vs. Firewalls) Patrick M. Hausen (Feb 02)
- Re: Management vs. IT staff (was: Re: IPS vs. Firewalls) ArkanoiD (Feb 03)
- Re: IPS vs. Firewalls Kevin (Feb 02)
- RE: IPS vs. Firewalls Paul Melson (Feb 07)
- Re: IPS vs. Firewalls Gabriele Buratti (Feb 03)
- Management vs. IT staff (was: Re: IPS vs. Firewalls) Patrick M. Hausen (Feb 02)
- Message not available
- Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 03)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Richard Stiennon (Feb 08)
- Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls ArkanoiD (Feb 02)