Firewall Wizards mailing list archives
RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Tue, 13 Aug 2002 22:35:58 +1000
-----Original Message----- From: Crispin Cowan [mailto:crispin () wirex com]M. Dodge Mumford wrote:
Hence my complaint. Things that are really signature firewalls are being marketed as "inline-IDS" or "intrusion prevention", making it relatively difficult for consumers to notice that they're really buying a different kind of firewall.
I seem to recall an early firewall implemented saying something (heavily paraphrased, and in my own understanding) a few years ago along the lines of policy based firewalls not being capable of providing the sorts of security required in a hostile net, and that Intrusion Detection being a much more promising technology. [1]
...the confusion is used to avoid critical comparisons, leading to weaker products getting away with stuff because they are not compared to their true competitors. This applies both ways between signature firewalls and classical firewalls.
As with other aspects of security; Defense In Depth should be a cardinal rule. If signature based firewalls can improve the security of a network, then certainly, we should be adding them to our repertoire of products and solutions. One the darker side, however, these products are still very young, and while early adopters are required for any emerging technology, I am uncomfortable with the amount of FUD being spread (both ways) regarding the _CURRENT_ capabilities of these products.
Attacks are happening at (nearly) all the layers and firewalls appear to be happily ignoring them. That's what is letting these "new technologies" happen.Only if you synthetically define "firewalls" to be a subset of firewalls :)
I would argue that this is potentially a new class of firewall, as you suggested: "Signature based" firewalls. It would be nice to have a firewall that can apply _granular_ policy-based rules all the way up into the presentation layer of most popular protocols. Yes I know that this is the Application Layer gateway model, but I am yet to see one that allows me the same sort of granular control at Presentation layer, that I get at IP layer. [3] My main concern with Signature based firewalls would then be three-fold [4]: 1) False-Positive blocking: Unexpected application of signatures blocking traffic that _should_ be allowed. 2) Policy based enforcement: There are still a large number of areas in which I don't care what the signature says, I don't want to see MS-SQL, or NetBIOS on my Internet Gateway, I just want it blocked. 3) Constant update: The security, enforcement, regression testing and application of almost constant signature updates required to keep these things up-to-date. [5]
Crispin
Crispin Harris Senior Security Consultant (Sydney) DeMorgan Information Security Systems [1] This is both heavily paraphrased, and filtered through my personal understanding of a two liner regarding the relative merits of Firewalls & IDS systems [2]. [2] I don't want to quote the source in case I seriously embarrass myself, and mis-represent his case, please accept my apologies. [3] The easy example is HTTP [and this is one of the few cases where much granular access control is available], where I want control over content stripping, URI contents, direction of travel, time of day, authentication being used, Headers being sent & retrieved. In summary, I guess I want the same sort of (almost) mature filtering features for ALG Proxies in the Application and Presentation Layers as are now commonly available in Network and Transport Layers (TCP/UDP/IP etc). [4] Initially I only had two :-) [5] Just look at the IDS question that has so many people up-in-arms. Now up the ante by making this very same issue control your entire (presumably) security posture. - Yuk!
---------------------------------------------------- This correspondence is for the named person's use only. It may contain confidential or legally privileged information or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of DeMorgan Pty Ltd. This e-mail has been checked for known Viruses. It is the responsibility of the receiver to check their system for infected files and any such file is deemed not to be the responsibility of DeMorgan. ---------------------------------------------------------
Current thread:
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 13)
- <Possible follow-ups>
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Mikael Olsson (Aug 15)