Firewall Wizards mailing list archives

RE: IPS vs. Firewalls

From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 3 Feb 2006 10:34:49 -0500

-----Original Message-----
Subject: Re: [fw-wiz] IPS vs. Firewalls

]  I particularly got a chuckle out of Intruvert's (now NAI) ] claim

that they protect

against encrypted attacks. I needed some yuks ] to lighten up my

morning!!

...now McAfee* (has been for a while).  They sold NAI shortly after the
InvruVert purchase.  And, if by protect you mean 'drop packets and send
spoofed resets' and by 'encrypted' you mean 'known protocols over SSL where
the private key is provided to the sensor', then they can.  But that doesn't
sound anywhere near as impressive as 'protects against encrypted attacks' in
the product cut sheets.

Actually, Intruvert, Blue Coat, and a number of other vendors now have

products which do

MITM for SSL connections, assuming you have enough control over one

endpoint to force it to

accept your bogus root certificate.


Actually, the IntruShield products don't do (or at least, didn't do) MITM.
The sensor gets a copy of the private key and does parallel decryption of
the stream.  So it's essentially only effective in inbound scenarios.
Outbound SSL connections, reverse tunnels, SSH, IPSec, etc. are all blind
spots, same as any other NIDS.

There's also a performance hit associated with decrypting SSL in parallel.
I've never tried it, but I would be surprised if there were possible to beat
the response feature by overloading the SSL ASIC through volume.  For
high-volume SSL traffic, I personally recommend terminating SSL on a
reverse-proxy / load-balancer and putting your IDS between that point and
the actual server.  It just scales better.

PaulM

* Disclaimer: I used to work for a McAfee VAR and have been indoctrinated in
the ways of IntruShield through vendor/channel training.  But I installed my
share of IntruShield systems, too.  That is to say, I drank the Kool-Aid,
but it wasn't bad.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IPS vs. Firewalls Phil Albacore (Feb 02)
- Re: IPS vs. Firewalls ArkanoiD (Feb 02)
  - Management vs. IT staff (was: Re: IPS vs. Firewalls) Patrick M. Hausen (Feb 02)
    - Re: Management vs. IT staff (was: Re: IPS vs. Firewalls) ArkanoiD (Feb 03)
  - Re: IPS vs. Firewalls Kevin (Feb 02)
    - RE: IPS vs. Firewalls Paul Melson (Feb 07)
  - Re: IPS vs. Firewalls Gabriele Buratti (Feb 03)
- Message not available
  - Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
    - Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 03)
    - Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
    - Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)

(Thread continues...)