IDS mailing list archives
RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures)
From: "Biswas, Proneet" <pbiswas () ipolicynetworks com>
Date: Tue, 26 Jul 2005 11:30:45 -0700
I would tend to agree with Bill here. In fact, with the number of
implementations of different protocols out there, it would be even tough
for defining what is "known good" for an IDS/IPS solution too. For some
implemntations, it is not just the implementation but its specific
binary running on a particular OS/platform. Example: Apache Server on
Linux could be affected by a particular vulnerability which can be
exploited whereas on Windows it might be perfectly safe.
That is why it is often suggested to approach the issue from the
vulnerability("known bad") angle.
Identify the vulnerabilities in the software packages being run and how
they can be exploited. Check if the IDS/IPS solutions provide the
protection from these vulnerabilities.
Devdas Bhagat said:
" everything which is not known good is bad. Any security policy
which attempts to enforce otherwise is broken"
The problem is that earlier understandings of "known good" such as
"follows the
protocol exactly and does not use any unsafe commands in the protocol",
which is
what a proxy firewall implements are not complete. The "known good"
paradigm is
not as simple as it appears on the surface. Because of problems in
actual
implementations of protocols on servers and workstations, there is now
the
problem that "known good" for Apache web servers may be bad for Windows
IIS
servers. So there needs to be a finer resolution of "known good" than
most proxy
firewalls can handle. The technology used to develop IDS has more of
that finer
resolution than most present firewalls, whether proxy or not. So taking
the
analysis technology from IDS and adding it to a secondary firewall
called an IPS
(as well as to application specific firewalls) helps add to the security
policy.
It would be nice if proxy firewalls were more accurate in identifying
"known
good" traffic, but the complexity that adds to a choke point would make
the
firewall a risk in itself.
By having separate systems in a layered approach, one can separate the
firewall that only passes valid safe protocol traffic but doesn't know
about
particular flaws in particular implementations from the IPS that
protects a
particular implementation of that protocol by ensuring only safe traffic
for
that implementation. That separation of roles can provide better
"defence in
depth" than either one alone.
-----Original Message-----
From: Devdas Bhagat [mailto:devdas () dvb homelinux org]
Sent: Monday, July 25, 2005 3:31 PM
To: focus-ids () securityfocus com
Subject: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures)
On 22/07/05 14:32 -0700, Swift, David wrote:
Right up front, I'll admit I work for a vendor, but... 1. There are a growing number Intrusion Detection/Intrusion Prevention Systems that have integrated firewall. 2. IPS is a significant step in the right direction, and does things a firewall can't. If you have doubts, try using Firewalker to pinpoint
Only if your "firewall" is a pure packet filter. Why not improve the IPS to disallow all traffic except that which is found to be legitimate. The subset of all traffic which is legitimate is far smaller and deterministic. And then you might as well terminate the connection right there and build a wholly new one which is known to be good. And then market it as a proxy? <snip>
Oh, and by the way while you have the data payload open for
inspection,
why not apply intelligent rules to look for MalWare in the payload?
Then
toss the bad payload packets away with everything else you've already filtered with the firewall rules.
I repeat: everything which is not known good is bad. Any security policy which attempts to enforce otherwise is broken. Oh well, history repeats itself. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Biswas, Proneet (Jul 27)