RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name

[Crispin Harris <Harris_C () DeMorgan com au>]

> -----Original Message-----
> From: Crispin Cowan [mailto:crispin () wirex com]
> > M. Dodge Mumford wrote:

> Hence my complaint. Things that are really signature 
> firewalls are being marketed as "inline-IDS" or 
> "intrusion prevention", making it relatively 
> difficult for consumers to notice that they're really buying 
> a different kind of firewall.

I seem to recall an early firewall implemented saying something (heavily
paraphrased, and in my own understanding) a few years ago along the lines of
policy based firewalls not being capable of providing the sorts of security
required in a hostile net, and that Intrusion Detection being a much more
promising technology. [1]

> ...the confusion is used to avoid critical 
> comparisons, leading to weaker products getting away with 
> stuff because they are not compared to their true 
> competitors. 
> This applies both ways between signature firewalls and 
> classical firewalls.

As with other aspects of security; Defense In Depth should be a cardinal
rule. If signature based firewalls can improve the security of a network,
then certainly, we should be adding them to our repertoire of products and
solutions. One the darker side, however, these products are still very
young, and while early adopters are required for any emerging technology, I
am uncomfortable with the amount of FUD being spread (both ways) regarding
the _CURRENT_ capabilities of these products.

> > Attacks are happening at (nearly) all the layers and 
> > firewalls appear to be happily ignoring them. That's 
> > what is letting these "new technologies" happen.
>
> Only if you synthetically define "firewalls" to be a subset 
> of firewalls :)

I would argue that this is potentially a new class of firewall, as you
suggested: "Signature based" firewalls.

It would be nice to have a firewall that can apply _granular_ policy-based
rules all the way up into the presentation layer of most popular protocols.
Yes I know that this is the Application Layer gateway model, but I am yet to
see one that allows me the same sort of granular control at Presentation
layer, that I get at IP layer. [3] 

My main concern with Signature based firewalls would then be three-fold [4]:
1) False-Positive blocking: Unexpected application of signatures blocking
traffic that _should_ be allowed. 
2) Policy based enforcement: There are still a large number of areas in
which I don't care what the signature says, I don't want to see MS-SQL, or
NetBIOS on my Internet Gateway, I just want it blocked.
3) Constant update: The security, enforcement, regression testing and
application of almost constant signature updates required to keep these
things up-to-date. [5] 

> Crispin

Crispin Harris
Senior Security Consultant (Sydney)
DeMorgan Information Security Systems

[1] This is both heavily paraphrased, and filtered through my personal
understanding of a two liner regarding the relative merits of Firewalls &
IDS systems [2].

[2] I don't want to quote the source in case I seriously embarrass myself,
and mis-represent his case, please accept my apologies.

[3] The easy example is HTTP [and this is one of the few cases where much
granular access control is available], where I want control over content
stripping, URI contents, direction of travel, time of day, authentication
being used, Headers being sent & retrieved. 
        In summary, I guess I want the same sort of (almost) mature
filtering features for ALG Proxies in the Application and Presentation
Layers as are now commonly available in Network and Transport Layers
(TCP/UDP/IP etc). 

[4] Initially I only had two :-)

[5] Just look at the IDS question that has so many people up-in-arms. Now up
the ante by making this very same issue control your entire (presumably)
security posture. - Yuk!

----------------------------------------------------

 This correspondence is for the named person's use only.  It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission.  If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender.  You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------