IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: "Hovis, Chris" <Chris.Hovis () morgankeegan com>
Date: Thu, 21 Jul 2005 08:58:58 -0500
Unified Threat Management (UTM) appliances is an increasingly popular term for an "NIPS-NIDS-FW-AV-Content filter-antispam-washes-the-dishes-as-well appliance" ISS, Secure Computing, and a number of private companies (such as Deep Nines and Reflex Security) have offerings in this market in addition to Fortinet and Symantec that you mention. Secure Enterprise recently reviewed some of these products. You can see the review at http://www.securitypipeline.com/showArticle.jhtml?articleID=162600163 -Chris Chris Hovis Equity Research Analyst - Internet Security and Infrastructure Morgan Keegan & Company, Inc. chris.hovis () morgankeegan com 404.240.6765 (office) 866.355.6765 (toll-free) 770.630.7601 (mobile) PLEASE READ DISCLOSURE STATEMENTS WITHIN ATTACHED DOCUMENTS. The e-mail, including attachments, is intended for the exclusive use of the addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any dissemination, use, distribution or copying is strictly prohibited. If you have received this e-mail in error, please notify me via return e-mail and permanently delete the original and destroy all copies.
-----Original Message----- From: Fergus Brooks [mailto:fergwa () gmail com] Sent: Tuesday, July 19, 2005 1:56 AM To: focus-ids () securityfocus com Subject: Re: Firewalls (was Re: IDS evaluations procedures) Devdas you say:An IDS is not an attack prevention mechanism. An IDS is a tool to detect when your active attack detection mechanisms have been bypassed. An IDS is passive. It tells you what it can see,but it isnot supposed to do anything to that traffic. Active elements are called firewalls, and firewalls include both packet filtersand proxies. Traditionally a firewall is nothing more than a gatekeeper that permits or denies traffic based on a predefined policy. "Active" in that it is powered on, but only as intelligent as its featureset allows for. The ability to monitor state was one of the first of these more advanced features and now the sky is the limit. You mention proxies - application-layer firewalls like Gauntlet/Sidewinder and Raptor/SEF have the ability to look at traffic in far more detail, in fact they spawn other processes to communicate with the destination devices, this is more "active," still a firewall by definition though. Traditionally your definition of an IDS is correct but in the current network security market and the amount of high-level salespeak used to describe the features of IDS, IPS & firewalls, one could be forgiven for using the generic tag IDS to describe any number of hybrid detection, analysis and in some case mitigation devices out there. To give you an example. Symantec bought Axent for their Raptor Application-layer Proxy Firewall. They bought Recourse for their Protocol-anomaly IDS, Manhunt. Manhunt, though always described as an IDS as it does not sit inline in the network, is capable of sending reset packets to block anomalously or signature-identified traffic in mitigation. It can also send mitigation information to firewalls and IPS devices. To make things more confusing they have integrated the above with their AV onto their SGS boxes which are all-in-one security appliances. Fortigate sell one of these as well, Checkpoint are moving in that direction as well. My point is that definitions in this space are all over the place, and I agree those of us who know the difference need to be careful, however we should be coming up with accurate ways of describing how things stand today in terms of actual functionality than outdated (albeit originally correct) definitions. For example calling something an"NIPS-NIDS-FW-AV-Content filter-antispam-washes-the-dishes-as-well appliance" is long winded - anyone have any ideas? Especially where devices that detect and recommend mitigation solutions - but do not act themselves, no clear name for this - though Symantec did have something called Intrusion Prevention Solution which was a combo of point products working together. Rgds. -------------------------------------------------------------- ---------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------- ----------
Morgan Keegan & Co., Inc. DOES NOT ACCEPT ORDERS AND/OR INSTRUCTIONS REGARDING YOUR ACCOUNT BY E-MAIL. Transactional details do not supersede normal trade confirmations or statements. The information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. The information contained herein is based on sources we believe reliable but is not considered all-inclusive. Opinions are our current opinions only and are subject to change without notice. Offerings are subject to prior sale and/or change in price. Prices, quotes, rates and yields are subject to change without notice. Morgan Keegan & Co., Inc., member NYSE, NASD and SIPC, is a registered broker-dealer subsidiary of Regions Financial Corporation. Investments are NOT FDIC INSURED, NOT BANK GUARANTEED and MAY LOSE VALUE. Morgan Keegan & Co., Inc. reserves the right to monitor all electronic correspondence. http://www.morgankeegan.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Firewalls (was Re: IDS evaluations procedures) Biswas, Proneet (Jul 21)
- <Possible follow-ups>
- RE: Firewalls (was Re: IDS evaluations procedures) Hovis, Chris (Jul 21)
- RE: Firewalls (was Re: IDS evaluations procedures) Kyle Quest (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)