Firewall Wizards mailing list archives
RE: IPS vs. Firewalls
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 3 Feb 2006 10:34:49 -0500
-----Original Message----- Subject: Re: [fw-wiz] IPS vs. Firewalls
] I particularly got a chuckle out of Intruvert's (now NAI) ] claim
that they protect
against encrypted attacks. I needed some yuks ] to lighten up my
morning!! ...now McAfee* (has been for a while). They sold NAI shortly after the InvruVert purchase. And, if by protect you mean 'drop packets and send spoofed resets' and by 'encrypted' you mean 'known protocols over SSL where the private key is provided to the sensor', then they can. But that doesn't sound anywhere near as impressive as 'protects against encrypted attacks' in the product cut sheets.
Actually, Intruvert, Blue Coat, and a number of other vendors now have
products which do
MITM for SSL connections, assuming you have enough control over one
endpoint to force it to
accept your bogus root certificate.
Actually, the IntruShield products don't do (or at least, didn't do) MITM. The sensor gets a copy of the private key and does parallel decryption of the stream. So it's essentially only effective in inbound scenarios. Outbound SSL connections, reverse tunnels, SSH, IPSec, etc. are all blind spots, same as any other NIDS. There's also a performance hit associated with decrypting SSL in parallel. I've never tried it, but I would be surprised if there were possible to beat the response feature by overloading the SSL ASIC through volume. For high-volume SSL traffic, I personally recommend terminating SSL on a reverse-proxy / load-balancer and putting your IDS between that point and the actual server. It just scales better. PaulM * Disclaimer: I used to work for a McAfee VAR and have been indoctrinated in the ways of IntruShield through vendor/channel training. But I installed my share of IntruShield systems, too. That is to say, I drank the Kool-Aid, but it wasn't bad. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPS vs. Firewalls Phil Albacore (Feb 02)
- Re: IPS vs. Firewalls ArkanoiD (Feb 02)
- Management vs. IT staff (was: Re: IPS vs. Firewalls) Patrick M. Hausen (Feb 02)
- Re: Management vs. IT staff (was: Re: IPS vs. Firewalls) ArkanoiD (Feb 03)
- Re: IPS vs. Firewalls Kevin (Feb 02)
- RE: IPS vs. Firewalls Paul Melson (Feb 07)
- Re: IPS vs. Firewalls Gabriele Buratti (Feb 03)
- Management vs. IT staff (was: Re: IPS vs. Firewalls) Patrick M. Hausen (Feb 02)
- Message not available
- Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 03)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
- Re: IPS vs. Firewalls ArkanoiD (Feb 02)