Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name

[Iván Arce <core.lists.firewall-wizards () core-sdi com>]

But there are fundamental conceptual differences
from a security standpoint in some of the technologies
listed below.

Those adopting firewalling technologies are aiming at
preventing (read: STOPPING) attacks coming from
one security domain to another (lets say an untrusted
net and a trusted one). The rationale and the "paradigm"
behind firewalls is (or at least I see it as) that, stopping
the attackers, isolations of security domains.

IDS adopters on the other hand have gone a step
further in their assumptions, here the rationale is that
they can NOT stop  all the attacks, sometime somewhere
there will be someone good enough to bypass the poorly
configured firewall so here is ideas is "if I cannot stop them all
at least I will try to be informed as soon as I detect a successful
attack" (think a NIDS on the trusted side of the FW or a HIDS).
So in my opinion adopting IDS technologies imply a conceptual
change in term of what is expected from the firewall technology,
the adopter is giving in to the idea of not being able to
stop all the attacks.

Further down the line, a honeypot/honeynet could be and is
generally  used to LEARN from the attacker. Here the adopter
accepts that her IDS will not detect all attacks, but only those
that are previously known or differ substantially from the
normal user behavior but she will not acquire any substantial
information from the attacker or the techniques employed. Nor
about previously unknown forms of attack. Deploying a honeypot
demonstrates a desire to learn from attackers and perhaps also
to go after them with a more strong case..

Yes, perhaps all the things listed below are one and the same,
after all they are just electrons flowing in a barely ordered way but
I believe that the differences should be presented in terms of
what "implicit" security assumptions are being made when each of
them is used.

jm2p

-ivan

--
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com>
To: <firewall-wizards () nfr net>
<firewall-wizards () honor icsalabs com>
Sent: Monday, August 12, 2002 8:53 PM
Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other
Name


> Actually:
>         IDS
>         VPN routers
>         honeypots
>         Firewalls
>         URL filters
>         boundary antivirus
>         caching proxies




--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards