IDS mailing list archives
Re: IDS vs Application Proxy Firewall
From: "\"Zow\" Terry Brugger" <zow () acm org>
Date: Wed, 22 Oct 2008 08:56:33 -0700
Can someone please explain how is an IDS different from an application proxy firewall in terms of what each of them looks for in a packet.An application proxy is a non-transparent device working inline at the application layer.
Unless it is a transparent application proxy, which is probably growing a lot faster than the traditional application proxies, as they don't require reconfiguration of the proxy settings on hundreds or thousands of machines. BlueCoat is the 800lb gorilla in this space.
An IDS, assuming that you are talking about a network IDS, is a transparent device which works at the network and transport layer, usually as a sniffer.
Unless it is an IPS, in which case it either runs in-line and blocks connections it thinks are suspicious, or it just sniffs, but instructs some other piece of network equipment (such as a firewall or router) to drop or block certain connections or IPs.
Basically, they are as different as two networking devices can be. I see no point whatsoever in comparing them.
I don't think the picture is quite so black-or-white. The difference I'd see is that network IDS/IPS devices typically look for specific signatures (sequences of bytes, regular expressions, certain flags set in the headers, etc) on a session (TCP, UDP, ICMP) or network (IP) level packet. Most can do some degree of session reassembily, but only in so far as to catch signatures which are divided across multiple packets. Application proxies, on the other hand, examine traffic at the application layer. Typically, they enforce protocol semantics for that application, which prevents someone from connecting to an IRC server on port 80 (because it's "always open"). This works because the HTTP proxy now handling port 80 traffic will only talk HTTP, so when the IRC client trys to connect through it, it won't work. I haven't seen too much in the way of actual attack detection in application proxies; however, it is the natural place to look for attacks on a deeper semantic level for a given application protocol, such as cross-site scripting attacks in HTML over HTTP. I think the main argument against doing it there is that it would be expensive, and that's something that can be handled by the individual browsers. Hope this helps, Terry #include <stddisclaim.h> ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs Application Proxy Firewall maash . rajani (Oct 21)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 21)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 22)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 22)
- Re: IDS vs Application Proxy Firewall Arian J. Evans (Oct 24)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 21)
- <Possible follow-ups>
- Re: Re: IDS vs Application Proxy Firewall ebennett (Oct 22)