IDS mailing list archives

RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

From: "Rob Shein" <shoten () starpower net>
Date: Wed, 18 Aug 2004 15:31:32 -0400

Last month, Richard Beijtlich (sorry if I mangled your last name, Rich) said
the following:

"If I could have one wish granted, it would be for the IPS to be recognized
as a layer 7 firewall, and not compared to an IDS."

That sentence really resonated with me.  It seems to make a lot of sense to
me that an IPS might eventually be what gets used as a firewall...one which
takes the next evolutionary step.  

At first, there were packet filters, which only cared about what ports were
used and which hosts were talking; they were ignorant with regard to
connection state, fragmentation, or any other aspects of the communication.
And they failed to account for services like FTP, where an outside host
needs to open a second inbound channel on an unpredictable port to the
server.  But it definitely cut back on the exposure of a network to outside
attackers.

Then came stateful inspection, which addressed some of these problems.  Now,
you couldn't just slip things through a firewall as easily just by setting a
source port of 53.  And because the firewall could do packet inspection to a
certain degree, FTP would work transparently as well.  And it could reject
fragmented packets, or other packets that were deliberately malformed  But
it still couldn't tell the intent of the traffic passing back and forth; a
simple GET request for "www.foo.org/index.html" looked the same to it as a
GET request that used the unicode attack to traverse directories and grab a
copy of the SAM.  But just the same, it cut back even more on the exposure
level.

But what if the next step was to be able to specify not just that, but also
to weed out a good bit of the hostile activity that would otherwise pass
through unnoticed by the firewall?  Mind you, I'm not saying that I think
IPS would catch everything, or that it could even watch for attacks on all
protocols, but it can definitely stop a good chunk of them.  The exposure of
your network has gone down, yet again.

Even better is that I would expect an IPS to stop the most mundane and
common attacks, the ones used by the ankle-biters.  And while these are
easier to deal with in the first place, nonetheless machines do go
accidentally unpatched (or misconfigured), and the kiddies are so numerous
that I feel that their attacks are the largest threat, based on sheer force
of numbers.  So the next level IPS/firewall/whatever you call it has cut
back on most of the background noise, allowing you to focus on the really
unique and truly dangerous (and, as Mudge once said, "really cool") hacks.

-----Original Message-----
From: Jacob Winston [mailto:jctx09 () yahoo com] 
Sent: Sunday, August 15, 2004 10:46 PM
To: focus-ids () securityfocus com
Subject: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

Things are getting a little confusing. ISS claims that its 
Proventia boxes are also firewallas. Intrushield 2.1 has 
firewall/layer 4 filtering capabilities now. If the 
Intrushield box layer 4 acls now then what makes it not be 
equal to a firewall? What does a firewall do that an IPS 
doesn't as long as the IPS can do layer-4 access lists? Any 
info is apprecaited.

--------------------------------------------------------------
------------
FREE Network Security Webinar - How to implement IPSec 
security into VPN appliances 

New threats and vulnerabilities require new high-performance 
IPSec VPN solutions for network protection. Join the security 
experts from SafeNet on August 26 at 1:00 PM (Eastern), and 
learn how to successfully integrate IPSec security into VPN 
processors and appliances to provide powerful yet 
cost-effective VPN solutions for your customers. 
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------




--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN appliances

New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec 
security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers.
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------

Current thread:

Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Jacob Winston (Aug 18)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Ron Gula (Aug 19)
  - RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Gary Halleen (Aug 19)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Rob Shein (Aug 20)
  - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) M. Dodge Mumford (Aug 20)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Shaiful (Aug 24)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Srini (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Joel Snyder (Aug 20)
  - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 29)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 30)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Greg Shipley (Aug 30)

(Thread continues...)