Firewall Wizards mailing list archives
RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: "Ofir Arkin" <ofir () sys-security com>
Date: Fri, 16 Aug 2002 17:55:51 +0100
All, I remember when we only had Proxies (application level gateways and regular once) and packet filters. Than other concepts came along such as "dynamic filtering" and "stateful inspection". Today, at least for me, a "basic" firewall is not enough. The features or at least what we expect to act against at the perimeter is changed - we are simply looking to do more things and get rid of more things at the perimeter where the old concepts do not work anymore. We wish the firewall to understand the protocol, to analyze at least some of the stuff traversing the firewall and to be able to drop packet on issues other than source and destination port (G, I got that abstract now, MJR might kick me :P) So, for me, it is just ability list. Look for Sidewinder and CheckPoint FW-1 NG (cool stuff there). Hogwash is cool, do not forget it is open source and developed on the spare time of Jed. At the end of the day it works well and provides exactly what Jed tells you it provides. Damn, we even did not get to the software vs. hardware issue and the lovely fake tests on IDSs and firewalls (just a hint for MJR :P ) Cheers! Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Iván Arce Sent: 13 August 2002 18:19 To: firewall-wizards () nfr net Cc: core.lists.firewall-wizards () corest com Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name But there are fundamental conceptual differences from a security standpoint in some of the technologies listed below. Those adopting firewalling technologies are aiming at preventing (read: STOPPING) attacks coming from one security domain to another (lets say an untrusted net and a trusted one). The rationale and the "paradigm" behind firewalls is (or at least I see it as) that, stopping the attackers, isolations of security domains. IDS adopters on the other hand have gone a step further in their assumptions, here the rationale is that they can NOT stop all the attacks, sometime somewhere there will be someone good enough to bypass the poorly configured firewall so here is ideas is "if I cannot stop them all at least I will try to be informed as soon as I detect a successful attack" (think a NIDS on the trusted side of the FW or a HIDS). So in my opinion adopting IDS technologies imply a conceptual change in term of what is expected from the firewall technology, the adopter is giving in to the idea of not being able to stop all the attacks. Further down the line, a honeypot/honeynet could be and is generally used to LEARN from the attacker. Here the adopter accepts that her IDS will not detect all attacks, but only those that are previously known or differ substantially from the normal user behavior but she will not acquire any substantial information from the attacker or the techniques employed. Nor about previously unknown forms of attack. Deploying a honeypot demonstrates a desire to learn from attackers and perhaps also to go after them with a more strong case.. Yes, perhaps all the things listed below are one and the same, after all they are just electrons flowing in a barely ordered way but I believe that the differences should be presented in terms of what "implicit" security assumptions are being made when each of them is used. jm2p -ivan -- Perscriptio in manibus tabellariorum est Noli me vocare, ego te vocabo Ivan Arce CTO CORE SECURITY TECHNOLOGIES 44 Wall Street - New York, NY 10005 Ph: (212) 461-2345 Fax: (212) 461-2346 http://www.corest.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ----- Original Message ----- From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com> To: <firewall-wizards () nfr net> <firewall-wizards () honor icsalabs com> Sent: Monday, August 12, 2002 8:53 PM Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name
Actually: IDS VPN routers honeypots Firewalls URL filters boundary antivirus caching proxies
--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name, (continued)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Frank Knobbe (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ryan Russell (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Barney Wolff (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name B. Scott Harroff (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Frank Knobbe (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Iván Arce (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 14)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Mikael Olsson (Aug 14)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 16)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 17)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 17)
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Ofir Arkin (Aug 17)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Marcus J. Ranum (Aug 12)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Cowan (Aug 13)