IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: Omar Herrera <oherrera () prodigy net mx>
Date: Mon, 25 Jul 2005 19:16:18 -0500
-----Original Message----- From: Devdas Bhagat <snip>Oh, and by the way while you have the data payload open for inspection, why not apply intelligent rules to look for MalWare in the payload? Then toss the bad payload packets away with everything else you've already filtered with the firewall rules.I repeat: everything which is not known good is bad. Any security policy which attempts to enforce otherwise is broken. Oh well, history repeats itself.
I fully agree with white lists, positive logic or whatever you would like to name the approach; it is the most secure and efficient approach. However Devdas, don't forget that there are some issues with this approach too: * It requires usually a strict discipline (e.g. standardization) and several supporting procedures (e.g. an application certification process, where you know exactly what you have and is legal). * It is not suitable for all environments, for example: Universities. Unless you enforce certain applications with certain configurations everywhere, it is meaningless (of course you can apply it to a subset of systems, such as some production servers, but you still have a lot of infrastructure which is difficult to cover with this approach). * It is expensive (not if you just stay at the network level, but to fully get advantage of this approach, you should get closer to the hosts being protected). Now, IDS/IPS have always struggled with understanding and emulating the behavior of protected devices (e.g. to avoid evasion tricks). In my experience, the farther from the protected devices, the more difficult it is to have an efficient protection of this kind, which means that personal firewalls will work much better than network firewalls, in terms of this approach. With a network firewall/IPS, you know a lot less from the event (e.g. ports, protocols and content), you don't know several things such as the name of the application generating the traffic and whether that application is valid (i.e. has been certified or not). Many Trojan horses and spyware will generate perfectly legal traffic once installed in the host, from an IPS/IDS/Firewall point of view, silently leaking confidential information to the Internet. Current personal firewalls and some hIPS/hIDS are able to at least identify if the application generating the traffic is valid or not. We already know what the current trends in malware are, so more than ever, this should be the way to go for organizations where this approach is appropriate. I'm not sure how the market or the vendors view this. I get mixed signals, with several vendors still focusing on network centric all-in-one, relatively low cost, solutions, yet, there are a few that seem to recognize the need of a more robust approach for enterprises and big organizations, using a positive logic approach (could be a niche for new players it seems). God know that if there existed brain based personal firewalls, IPS or IDS I would certainly install them on most of my users, using white list approach: "User, this is your consciousness personal firewall, you DON'T know nor trust that email address, therefore, don't open that attachment". Unfortunately, we are not quite there, yet :-). So far, most host based solutions I've seen (firewalls, IPS and IDS) are not ready to work seamlessly with positive logic at enterprise level. Many of them are still personal products that are administrated to some degree through a console but you note their lack of enterprise capabilities when identifying, certifying and updating (patching) applications at the organization. You can start using them already, with still a lot of effort though ;-). Finally, I know this might revive the debates regarding the elimination of perimeter defenses, that some have suggested (here is a recent article on this topic, which should be a couple of years old by now: http://www.securitypipeline.com/165700439;jsessionid=LMEQMXS0V3V0WQSNDBGCKH0 CJUMEKJVN, he doesn't quite moves towards host based security, but farther from the perimeter and closer to the servers). I wouldn't go as far as completely wiping out perimeter defenses, but with attacks being increasingly difficult to detect and prevent at the network level I would definitely dedicate more resources on the host side, with a positive logic approach. Kind regards, Omar Herrera ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Firewalls (was Re: IDS evaluations procedures), (continued)
- RE: Firewalls (was Re: IDS evaluations procedures) Hovis, Chris (Jul 21)
- RE: Firewalls (was Re: IDS evaluations procedures) Kyle Quest (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 27)
- RE: Firewalls (was Re: IDS evaluations procedures) Ha, Jason (Jul 27)