IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Fri, 22 Jul 2005 10:45:26 -0400
If someone configures their layer 3/4 firewall to block, say, ports 111 TCP and 445 TCP, and let everything else pass, we would agree that is a poor deployment model. People still do this, unfortunately. ... If someone configures their layer 7 firewall (aka IPS) to block traffic identified by signature, anomaly, vulnerability, whatever, and let everything else pass, now we're discussing the way almost everyone deploys IPSs.
The main reason for this is the fact that it's hard (and almost impossible) to use the opposite approach. Many times companies don't know exactly what kind of traffic they have on their network. They might attempt to use the "white listing" approach just to find out that all of a sudden many things don't work anymore. A good example would be a financial company that bought some sort of biz app that uses "who knows what" for communication. As a result, they fall back to the "black listing" approach blocking the threats they are aware of. In case of service providers it's also possible to have a situation where the company just doesn't have the complete knowledge of what their customers have (to "white list" every service all of their customers have), so what is the alternative... They end up deploying their IPS/firewall in "black listing" mode. Things are also complicated by the fact that there's a number of complex network protocols that use multiple connections that are negotiated at run time (ftp, sun-rpc, ms/dce-rpc, lots of voice and streaming media protocols, etc). If an IPS/firewall can't handle them, you can't have a pure "white listing" solution because you need to leave a lot of whole open for those dynamic connection. Kyle ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Firewalls (was Re: IDS evaluations procedures) Biswas, Proneet (Jul 21)
- <Possible follow-ups>
- RE: Firewalls (was Re: IDS evaluations procedures) Hovis, Chris (Jul 21)
- RE: Firewalls (was Re: IDS evaluations procedures) Kyle Quest (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)