IDS mailing list archives
RE: Terminology: Inline IDS, IPS and Application Layer Firewall
From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Tue, 28 Feb 2006 12:07:54 -0500
Andreas, An inline IDS is still an IDS and has limited if any capability to actually prevent the intrusions that it detects. Contrast this with an IPS which typically has more extensive capabilities to prevent intrusions. Many inline IPS systems can be successfully deployed as an inline IDS. However, an inline IDS would typically make an unsatisfactory IPS. An application layer firewall (forgive me if you already know this) would look at the network traffic as a series of transactions and allow you to control which transactions are allowed based upon a set of rules that you define. Whereas a layer 3/4 firewall would allow you to specify rules in terms of IP address and TCP/UDP ports, an application layer firewall would allow you to specify terms such as URL for HTTP traffic in addition to the layer 3/4 terms for example. That is, you could control access to individual URLs if your application layer firewall were HTTP-aware. Conceptually, the application layer firewall provides you tools to use your knowledge of normal, acceptable traffic on your network to limit your risk from potentially unknown attacks. Whereas, the typical IPS provides you tools to use the vendor's knowledge of known (or predictable) attacks to limit the risk to the potentially unknown traffic and assets on your network. As such, the two technologies are complementary and there is often some level of crossover in the product-spaces. That is, application level firewalls may include some limited IPS capability. IPS products may include some application level firewall capabilities. I hope this helps, Paul -----Original Message----- From: Andreas Hess [mailto:hess () tkn tu-berlin de] Sent: Friday, February 24, 2006 5:29 AM To: focus-ids () securityfocus com Subject: Terminology: Inline IDS, IPS and Application Layer Firewall Hi, I wonder if there are any conceptual differences between: - inline IDSs, - IPS and - Application Layer Firewalls Or are this just three terms that mean the same? To my understanding all three concepts do access control up to the application layer and in addition, they all have a certain impact on the network performance as all packets are routed through them. Regards Andreas ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Terminology: Inline IDS, IPS and Application Layer Firewall Palmer, Paul (ISSAtlanta) (Mar 01)