IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: "Swift, David" <dswift () ipolicynetworks com>
Date: Fri, 22 Jul 2005 14:32:10 -0700
Right up front, I'll admit I work for a vendor, but... 1. There are a growing number Intrusion Detection/Intrusion Prevention Systems that have integrated firewall. 2. IPS is a significant step in the right direction, and does things a firewall can't. If you have doubts, try using Firewalker to pinpoint holes in your firewall, and map network devices PAST the firewall perimeter. If I can find them, I can attack them. Then craft a few attacks with Nessus and send a fragmented attack right on through the firewall at a given target. iPolicy started a company with the premise that security integration was where things were headed. We built a good firewall, that after 5 years of revisions now has an easy to use interface, AND we incorporate a good IDS/IPS engine. Regardless of the type of networking device, every packet has to be inspected for certain pieces of data...Source Address, Destination Address, Source/Destination Protocol.... If you've already read the packet, why not apply intelligence beyond allow/deny/NAT/PAT and actually inspect the data payload? IDS is a natural extension. Oh, and by the way while you have the data payload open for inspection, why not apply intelligent rules to look for MalWare in the payload? Then toss the bad payload packets away with everything else you've already filtered with the firewall rules. Now integrated the rules into a common rule tree, and you can eliminate the latency of multiple devices in serial to accomplish the same thing. By the way, URL filtering, Anti-Virus Scanning, Peer-to-Peer, and Instant Messaging all make sense in the same device as well. Essentially instead of a static rule engine, integrated security devices are Sniffers on steroids with good rule trees to weed out bad packets, regardless of why they're not wanted. ___________________________________________ David Swift Sr. Systems Engineer CISSP, MCSE, MCNE, CCNA, AIX-CSA, SUN-CSA -----Original Message----- From: Mike Barkett [mailto:mbarkett () nfr com] Sent: Friday, July 22, 2005 12:56 PM To: 'Richard Bejtlich'; 'Nick Black' Cc: focus-ids () securityfocus com Subject: RE: Firewalls (was Re: IDS evaluations procedures)
-----Original Message----- From: Richard Bejtlich [mailto:taosecurity () gmail com] Sent: Thursday, July 21, 2005 7:56 AM Hi Nick and list, If someone configures their layer 3/4 firewall to block, say, ports 111 TCP and 445 TCP, and let everything else pass, we would agree that is a poor deployment model. People still do this, unfortunately. If someone configures their layer 7 firewall (aka IPS) to block traffic identified by signature, anomaly, vulnerability, whatever, and let everything else pass, now we're discussing the way almost everyone deploys IPSs.
I've heard/read this wrongheaded argument and its variants over and over again. It goes sort of like this: "y'know, in the end IPS is just a firewall, and so now I'll proceed to judge it by firewall standards, and since it doesn't match my perception of a firewall, it's a poor solution." That is called circular reasoning. Firewalls have evolved as full-fledged network participants, and some folks would argue the firewall is the key component of a well designed network. Almost everyone uses them for NAT, many people use built-in VPN functionality, and I'll even frequently see people running routing protocols on the firewall. This is all in addition to "letting in what's good and denying everything else." The IPS wields a big sanity stick and uses it frequently to wallop stupid traffic. We all know there's lots of stupid traffic out there that still gets through the firewall. A high-quality IPS will also be effective at warding off real attackers and preventing insiders from doing prohibited things. This discussion so far has been about what is out there and what people do. Today, in 2005, an IPS is a device that compliments your traditional firewall, whether it's a L3/4 device or a proxy, or whatever. Today, you can get a firewall to be smarter about the traffic it lets through, and you can set up an IPS to "let in what's good and deny everything else." I know people who DO use their IPS this way. Additionally, there are some products that claim to do it all, and truthfully that is probably where things are eventually going. But what you cannot do today, in 2005, is cut one check to one vendor and receive a single box that contains a best-of-breed IPS and a top notch firewall. That is, unless you cut the check to a VAR that sells NFR and some firewall and they ship them in the same box. :-D My point is, we should not ditch the technology simply because it is not nirvana.
I have not heard anyone defining and passing "authorized" traffic and denying everything else via IPS. In fact, a hot hardware item these days are inline bypass switches to avoid inline IPSs that fail. "Better to keep the traffic flowing than fail closed!" is the rationale.
Two fail passthrough IPSes deployed serially can give non-HA networks a level of availability previously only found on fully redundant networks. Also, any IPS worth its salt will give the user the ability to disable/enable this feature at will. When used without another IPS or firewall, yes, fail passthrough is a poor security measure. However, some organizations choose to accept this risk, and many actually implement the safeguard properly.
I detest the term IPS, as it is a pure marketing term. It was created by companies that needed to define a new access control product niche to compete against the firewall giants of the early 2000s. (All defensive measures are trying to prevent intrusions.)
I agree, the term IPS is somewhat akward, especially to anyone with a background in firewalls. I also believe that purism rarely creates value for anyone, and security is no exception. It is a growing pain of any market to endure tweener products and fad "marketing terms" as the technology gets fleshed out. As I said before, we live in today, and this is where the technology is.
However, I am not disrespecting the technology. Anything which can make smarter access control decisions is extremely helpful and an important part of the security arsenal.
Good! I have some IPS to sell you. (There's my vendor disclaimer.) :) -MAB -- (nfr)(security) Michael A Barkett, CISSP Vice President, Systems Engineering 5 Choke Cherry Road, Rockville, MD 20850 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Firewalls (was Re: IDS evaluations procedures) Biswas, Proneet (Jul 21)
- <Possible follow-ups>
- RE: Firewalls (was Re: IDS evaluations procedures) Hovis, Chris (Jul 21)
- RE: Firewalls (was Re: IDS evaluations procedures) Kyle Quest (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)