RE: Firewalls (was Re: IDS evaluations procedures)

[Omar Herrera <oherrera () prodigy net mx>]

> -----Original Message-----
> From: Devdas Bhagat 
> <snip>
> > Oh, and by the way while you have the data payload open for inspection,
> > why not apply intelligent rules to look for MalWare in the payload? Then
> > toss the bad payload packets away with everything else you've already
> > filtered with the firewall rules.
> I repeat: everything which is not known good is bad. Any security policy
> which attempts to enforce otherwise is broken.
>
> Oh well, history repeats itself.

I fully agree with white lists, positive logic or whatever you would like to
name the approach; it is the most secure and efficient approach.

However Devdas, don't forget that there are some issues with this approach
too:
   * It requires usually a strict discipline (e.g. standardization) and
several supporting procedures (e.g. an application certification process,
where you know exactly what you have and is legal).  
   * It is not suitable for all environments, for example: Universities.
Unless you enforce certain applications with certain configurations
everywhere, it is meaningless (of course you can apply it to a subset of
systems, such as some production servers, but you still have a lot of
infrastructure which is difficult to cover with this approach).
   * It is expensive (not if you just stay at the network level, but to
fully get advantage of this approach, you should get closer to the hosts
being protected).

Now, IDS/IPS have always struggled with understanding and emulating the
behavior of protected devices (e.g. to avoid evasion tricks). In my
experience, the farther from the protected devices, the more difficult it is
to have an efficient protection of this kind, which means that personal
firewalls will work much better than network firewalls, in terms of this
approach. 

With a network firewall/IPS, you know a lot less from the event (e.g. ports,
protocols and content), you don't know several things such as the name of
the application generating the traffic and whether that application is valid
(i.e. has been certified or not). Many Trojan horses and spyware will
generate perfectly legal traffic once installed in the host, from an
IPS/IDS/Firewall point of view, silently leaking confidential information to
the Internet. Current personal firewalls and some hIPS/hIDS are able to at
least identify if the application generating the traffic is valid or not. We
already know what the current trends in malware are, so more than ever, this
should be the way to go for organizations where this approach is
appropriate. I'm not sure how the market or the vendors view this. I get
mixed signals, with several vendors still focusing on network centric
all-in-one, relatively low cost, solutions, yet, there are a few that seem
to recognize the need of a more robust approach for enterprises and big
organizations, using a positive logic approach (could be a niche for new
players it seems).

God know that if there existed brain based personal firewalls, IPS or IDS I
would certainly install them on most of my users, using white list approach:
"User, this is your consciousness personal firewall, you DON'T know nor
trust that email address, therefore, don't open that attachment".
Unfortunately, we are not quite there, yet :-).

So far, most host based solutions I've seen (firewalls, IPS and IDS) are not
ready to work seamlessly with positive logic at enterprise level. Many of
them are still personal products that are administrated to some degree
through a console but you note their lack of enterprise capabilities when
identifying, certifying and updating (patching) applications at the
organization. You can start using them already, with still a lot of effort
though ;-).

Finally, I know this might revive the debates regarding the elimination of
perimeter defenses, that some have suggested (here is a recent article on
this topic, which should be a couple of years old by now:
http://www.securitypipeline.com/165700439;jsessionid=LMEQMXS0V3V0WQSNDBGCKH0
CJUMEKJVN, he doesn't quite moves towards host based security, but farther
from the perimeter and closer to the servers). 

I wouldn't go as far as completely wiping out perimeter defenses, but with
attacks being increasingly difficult to detect and prevent at the network
level I would definitely dedicate more resources on the host side, with a
positive logic approach.

Kind regards,

Omar Herrera


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------