Re: Terminology: Inline IDS, IPS and Application Layer Firewall

["David W. Goodrum" <dgoodrum () nfr com>]

Hi Andreas,

To respond to your email in reverse order.... packets are not 
necessarily _routed_ through these devices.  In fact, I would say that 
in most cases, packets are _bridged_ across them.  Most of these devices 
bridge the traffic so that you don't have to reconfigure the network to 
put one in.  You simply stick it inline (no IP addresses on the inline 
interfaces) and it bridges the traffic while sniping/blocking "bad" traffic.

As to the differences between the 3 terms you mention, let's first make 
the assumption that IPS refers to an inline IPS.  I have seen other 
vendors claim IPS capabilities out-of-band... usually via TCP resets, 
ICMP messages, manipulation of some other inline device, etc.

Getting that out of the way, I'm not sure what the difference is between 
 an inline IPS device and an Application Layer Firewall.  These seem to 
be vendor terms as far as I can tell.  I'll give you an example:  Some 
vendor will spout the benefits of their "application layer firewall" to 
a prospect, and then we'll be invited in, and we'll talk about our IPS 
product and how it works, and the prospect eventually says something 
like, "so you can you act as an application layer firewall?".   It 
reminds me of another example.  We'll talk about inspecting packets and 
re-assembling packets and fragments to watch for some HTTP cross-site 
scripting attack (as an example).  Then, later on, the prospect will 
ask, "so do you do deep packet inspection?"  Some vendor created a 
simple term for something complex, and people use the terms without 
really understanding them.  All they know is that they have to have it. 
 Actually, it reminds me of those eBay commercials for "it".  :)

Inline IDS is different story.  Inline IDS could simply refer to an IDS 
system that gets it's traffic by sitting inline.  This does not 
necessarily mean that it is sniping/blocking "bad" traffic.  For 
customers who still want "IDS" instead of "IPS" this can be a good 
solution for them.... by putting an IDS inline, you don't have to setup 
a SPAN port (which can be too easily undone by somebody else) or 
purchase a network tap (which can get pretty pricy depending on what 
you're tapping and how many you need).  NFR's Smart Sensors offer this 
as an option, so instead of being an IPS, it can simply be put inline in 
a non-blocking mode.  A lot of customers start in this mode and then, 
after baselining the network, they turn on the IPS features, moving from 
"inline IDS" mode to "IPS" mode.

I'm sure there will be people who disagree with me... but that's my 
story and I'm sticking to it.

thanks,

dave

Andreas Hess wrote:
> Hi,
> I wonder if there are any conceptual differences between:
> - inline IDSs,
> - IPS and
> - Application Layer Firewalls
>
> Or are this just three terms that mean the same?
> To my understanding all three concepts do access control up to the  
> application layer and in addition, they all have a certain impact on  
> the network performance as all packets are routed through them.
>
> Regards
> Andreas
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ------------------------------------------------------------------------

--
David W. Goodrum, CEH
Federal Sales Manager
(nfr)(security)
http://www.nfr.com
(M)703.731.3765
(O)240.747.3425
(F)240.632.0200

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------