IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Sat, 12 Mar 2005 10:23:03 -0500
comments inline below
Invisible in the sense that the interfaces that pass traffic do not have IP addresses. And yes, the device must have an IP address on the management side, but that's generally deeper in the network. I'm not sure that's obscurity... that's simply smart management. Many customers have completely out of band management networks. And yes, it's possible to compromise systems that are simply sniffing... but it's much harder. I know of only one product that's been successfully remotely exploited in this manner, and the only reason that happened was because it was an opensource product that allows hackers to read the source code and look for ways to compromise it.Many IDS vendors are integrating Firewalls into their product, just like Firewall vendors are trying to catch up on the Layer 7 analysis. Both types of technologies are coming tgether to some degree. We've actually embedded pf (freebsd's firewall) into our product now. The difference really will be WHERE you want to deploy and what your requirements are. For example, most companies with IPS products (such as ISS, NFR, etc), are generally implemented in a "bridging" mode. i.e. even though they are doing firewalling, they are still invisible to the network and don't require changes to the network architecture to implement them. Bridging firewalls are probably not what you want on the perimeter, and so you should look to a more traditional firewall. Traditional firewalls are not invisible, meaning they can do more traditional firewall roles including NAT, routing, and other fun stuff. The downside there is that they are also exposed to attack.Just cause your in L2 mode doesn't make you immune to attack (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump). The box still has to process packets just like any other L3 app. I'm not sure how bridge mode makes a box "invisible". Besides, the device still needs an IP on the local network for management. Sounds like security through obscurity to me.
IPS technologies are actually just as (if not more) successful internally than on the perimeter. I would argue that they are not disparate technologies even today. NFR's appliances are essentially FreeBSD based, and so we've integrated FreeBSD's pf into the product which is a fully functional firewall. It's providing the pretty GUI overlay that CheckPoint and other traditional firewall vendors have had for years that is the hard part. Fortunately, we (the collective IPS vendor market as a whole) get to learn from their mistakes and successes.With the obvious success of IPS technologies at the perimeter, I find it hard to believe that IPS and FW technologies will remain disparate technologies for more than a few more years. The IPS vendors need to do one of two things: 1. Find a good firewall vendor to acquire them or 2. Build a full featured firewall from scratch.
What I'm getting at is that Defense in Depth still applies, even though these two technologies seem to be coming together rather quickly. If you deploy a true routing firewall on your perimeter, you should protect it with an invisible IPS product (there have been plenty of cases of routing firewalls being compromised). Internally, when you create your quarantine areas, most organizations don't require advanced firewalling features such as NAT and routing. In those cases, it might be a good fit for a bridging firewall (like today's IPS vendors). Does anybody care about best of breed anymore?This is probably not going to be well received on this particular list but I think it holds true... Talking to Chris Hovis the other day, he mentioned that what (most) customers want is "good enough security". This means that as long as the technology works and the problem gets solved, the technology is "good enough". Are all those neato-gizmos that the best-of-breed vendors provide valuable? Sure, but at the end of the day customers want to pay "just enough" to solve the problem.PS: and once again, ISS is in the gane for 10 long years. What about the competitors?NFR was founded in 1996 and still chugging away. ;)Thanks, Stephane-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 tolearn more. --------------------------------------------------------------------------
-- David W. Goodrum Senior Systems Engineer NFR Security 703.731.3765 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- RE: How to choose an IDS/FW MSS provider, (continued)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
- Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 16)
- RE: Has ISS a SOC in Europe? Gregory Bell (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)