Re: Firewall vs. IPS

[Richard Bejtlich <taosecurity () gmail com>]

It's funny this is being discussed now.  Addison-Wesley [0] asked me
to do a short article for an upcoming Dr. Dobb's Journal [1], so I
cover this subject.

I argue against "convergence" between products doing "detection" and
those doing "protection."  Too many people focus on detecting
_attacks_ when really they should be detecting _failures in
protection_ caused by poor access control, exposure of vulnerable
targets, and misconfiguration.

This means the IDS remains a network audit device doing detection, and
all products which filter, scrub, manipulate, or otherwise stop
traffic be accepted as access control devices (aka "firewalls") doing
protection.

You can't have the same device do both functions.  It's like a guard
without a security camera thinking he's doing a good job when an
intruder's already slipped behind him.

If any convergence should take place, it should occur within the
detection market (signature/anomaly/flow/etc. network/host-based IDS)
and separately within the protection market (XML/spam/SQL/etc.
IPS/firewalls).

Sincerely,

Richard
http://www.taosecurity.com
[0] http://www.awprofessional.com/title/0321246772
[1] http://www.ddj.com

--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN appliances 
 
New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec 
security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. 
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------