RE: Firewalls (was Re: IDS evaluations procedures)

["Hovis, Chris" <Chris.Hovis () morgankeegan com>]

Unified Threat Management (UTM) appliances is an increasingly popular
term for an "NIPS-NIDS-FW-AV-Content
filter-antispam-washes-the-dishes-as-well appliance"

ISS, Secure Computing, and a number of private companies (such as Deep
Nines and Reflex Security) have offerings in this market in addition to
Fortinet and Symantec that you mention.

Secure Enterprise recently reviewed some of these products.  You can see
the review at
http://www.securitypipeline.com/showArticle.jhtml?articleID=162600163


-Chris


Chris Hovis
Equity Research Analyst - Internet Security and Infrastructure
Morgan Keegan & Company, Inc.
chris.hovis () morgankeegan com
404.240.6765 (office)
866.355.6765 (toll-free)
770.630.7601 (mobile)

PLEASE READ DISCLOSURE STATEMENTS WITHIN ATTACHED DOCUMENTS.

The e-mail, including attachments, is intended for the exclusive use of
the addressee and may contain proprietary, confidential or privileged
information.  If you are not the intended recipient, any dissemination,
use, distribution or copying is strictly prohibited.  If you have
received this e-mail in error, please notify me via return e-mail and
permanently delete the original and destroy all copies.


> -----Original Message-----
> From: Fergus Brooks [mailto:fergwa () gmail com]
> Sent: Tuesday, July 19, 2005 1:56 AM
> To: focus-ids () securityfocus com
> Subject: Re: Firewalls (was Re: IDS evaluations procedures)
>
> Devdas you say:
>
> > An IDS is not an attack prevention mechanism. An IDS is a tool to
> > detect when your active attack detection mechanisms have been
> > bypassed. An IDS is passive. It tells you what it can see,
> but it is
> > not supposed to do anything to that traffic. Active elements are
> > called firewalls, and firewalls include both packet filters
> and proxies.
>
> Traditionally a firewall is nothing more than a gatekeeper
> that permits or denies traffic based on a predefined policy.
> "Active" in that it is powered on, but only as intelligent as
> its featureset allows for. The ability to monitor state was
> one of the first of these more advanced features and now the
> sky is the limit.
>
> You mention proxies - application-layer firewalls like
> Gauntlet/Sidewinder and Raptor/SEF have the ability to look
> at traffic in far more detail, in fact they spawn other
> processes to communicate with the destination devices, this
> is more "active," still a firewall by definition though.
>
> Traditionally your definition of an IDS is correct but in the
> current network security market and the amount of high-level
> salespeak used to describe the features of IDS, IPS &
> firewalls, one could be forgiven for using the generic tag
> IDS to describe any number of hybrid detection, analysis and
> in some case mitigation devices out there.
>
> To give you an example. Symantec bought Axent for their
> Raptor Application-layer Proxy Firewall. They bought Recourse
> for their Protocol-anomaly IDS, Manhunt. Manhunt, though
> always described as an IDS as it does not sit inline in the
> network, is capable of sending reset packets to block
> anomalously or signature-identified traffic in mitigation. It
> can also send mitigation information to firewalls and IPS devices.
>
> To make things more confusing they have integrated the above
> with their AV onto their SGS boxes which are all-in-one
> security appliances. Fortigate sell one of these as well,
> Checkpoint are moving in that direction as well.
>
> My point is that definitions in this space are all over the
> place, and I agree those of us who know the difference need
> to be careful, however we should be coming up with accurate
> ways of describing how things stand today in terms of actual
> functionality than outdated (albeit originally correct) definitions.
>
> For example calling something an"NIPS-NIDS-FW-AV-Content
> filter-antispam-washes-the-dishes-as-well appliance" is long
> winded - anyone have any ideas?
>
> Especially where devices that detect and recommend mitigation
> solutions - but do not act themselves, no clear name for this
> - though Symantec did have something called Intrusion
> Prevention Solution which was a combo of point products
> working together.
>
> Rgds.
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world
> attacks from CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------
> ----------


Morgan Keegan & Co., Inc. DOES NOT ACCEPT ORDERS AND/OR INSTRUCTIONS REGARDING YOUR ACCOUNT BY
 E-MAIL.  Transactional details do not supersede normal trade confirmations or statements.  The information contained
 in this transmission is privileged and confidential. It is intended for the use of the individual or entity named 
above. The
 information contained herein is based on sources we believe reliable but is not considered all-inclusive. Opinions are
 our current opinions only and are subject to change without notice.  Offerings are subject to prior sale and/or change
 in price.  Prices, quotes, rates and yields are subject to change without notice.  Morgan Keegan & Co., Inc., member
 NYSE, NASD and SIPC, is a registered broker-dealer subsidiary of Regions Financial Corporation.  Investments are
 NOT FDIC INSURED, NOT BANK GUARANTEED and MAY LOSE VALUE.  Morgan Keegan & Co., Inc. reserves the right to
 monitor all electronic correspondence.


http://www.morgankeegan.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------