IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Mon, 3 Apr 2006 06:19:24 +0530
On 30/03/06 08:30 -0800, Andrew Plato wrote:
If by firewall, you mean a proxy which validates protocols and is in default deny mode, then you are just wrong.If I don't have a proxy for it, I don't let the traffic through worksjust fine.An IPS looks at stuff on the wire, decides what is bad, and blocks it. A real firewall looks at stuff on the wire, decides what is good, and allows it. A real firewall hooks into everything (servers, network equipment, desktops...).Proxy firewalls make up a small (and shrinking) percentage of the market of firewalls. And having worked with over 500 different companies, my
And that market-share is relevant how? Just because everyone thinks the world is flat does not make it so.
experience is that proxy-based firewalls are rarely deployed in the manner you describe. The default deny from unknown or unallowed protocols is almost ALWAYS turned off because it breaks some important
And that justifies an IPS?
businesses system that was poorly coded. Furthermore, a proxy validating
Then the right thing to do is to fix the application.
protocols still cannot stop a lot of exploits. Plenty of exploits live quite comfortably inside the RFC-specs for a protocol. And in this case, your proxy-firewall would do nothing to stop them.
Actually, the proxy would know what valid traffic to expect. Regular expressions are nice if used properly. Plug in a reverse proxy in front of your webserver and block queries with SQL(ish) content embedded. If you think that you can run an Internet facing system without knowing what is on the network, you are just plain wrong.
Most firewalls have no insight into application-layer content. And most
ITYM packet filters and not firewalls.
exploits are application-layer exploits. This isn't just some insane idea, it's a fact. You can ignore this and tell yourself 10000 times you don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls are not sufficient protection for most organizations.
Other than networking stack issues, everything else is an application layer exploit. Not having a service installed, not running it, staying patched, using proxies correctly, using well coded software, watching your logs.....
Once you have a firewall in place, you need a system which analyses logs and traffic which gets through your firewall.Which is why you sandwich your firewall with a good IPS, so you can see what gets through and block it - if necessary.
IDS yes, IPS no. Oh, and good backups. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
(Thread continues...)