Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Prevention Firewall

From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 16 Apr 2002 10:25:44 -0400
"Patrick M. Hausen" wrote:


But you already have a firewall in place, right?
A firewall which is policy enforcement device with respect
to traffic passing from your internal network to the Internet
and vice versa, right?


Within the limits of the capabilities of firewall technology.


And the policy is to deny everything which is not explicitly allowed, right?


Blanket rules blocking broad swatches of communications may
be fine for some organizations but academic organizations,
to name one type, installed a network to communicate, exchange 
information, and research.

What if my policy is that I wish to allow all ssh traffic
except that which is trying to exploit an openssh buffer 
overflow? We've got new research collaborations all the time.

Or allow all http traffic except that which is trying to
access cmd.exe or *.ida?

Or allow all RPC-portmap traffic except that which is trying
to overflow statd?

Or allow all http or ftp traffic except that which attempts
connections to those ports on every campus machine?


A properly understood and configured firewall is an "Intrusion Prevention
Device" in the same way an armed guard is. If you needed a supervisor
for the guard telling the guard what to do ... better fire the guard
and let the supervisor do that job.


Better to get a better educated armed guard. If the armed guards 
instructions are simply to only allow company trucks and people with 
passes and only to the visitors center or warehouse a relatively 
simple firewall will do the job assuming both the warehouse and
visitors center are hardened. But not all networks or organizations 
are designed as closed systems. They want the full capabilities of
the communications system we call the Internet. They want to allow
their constituents, who may not always have the most hardened systems
whether because of training, time, or the vendor's focus on ease of
use rather than security, full communications access but still provide 
them some protection. Those organizations need more capable 
guards...i.e. an IPD.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: