RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name

["Ofir Arkin" <ofir () sys-security com>]

All,

I remember when we only had Proxies (application level gateways and
regular once) and packet filters. Than other concepts came along such as
"dynamic filtering" and "stateful inspection".

Today, at least for me, a "basic" firewall is not enough.
The features or at least what we expect to act against at the perimeter
is changed - we are simply looking to do more things and get rid of more
things at the perimeter where the old concepts do not work anymore. 

We wish the firewall to understand the protocol, to analyze at least
some of the stuff traversing the firewall and to be able to drop packet
on issues other than source and destination port (G, I got that abstract
now, MJR might kick me :P)

So, for me, it is just ability list.

Look for Sidewinder and CheckPoint FW-1 NG (cool stuff there).


Hogwash is cool, do not forget it is open source and developed on the
spare time of Jed. At the end of the day it works well and provides
exactly what Jed tells you it provides.


Damn, we even did not get to the software vs. hardware issue and the
lovely fake tests on IDSs and firewalls (just a hint for MJR :P )

Cheers!
 

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Iván
Arce
Sent: 13 August 2002 18:19
To: firewall-wizards () nfr net
Cc: core.lists.firewall-wizards () corest com
Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any
Other Name

But there are fundamental conceptual differences
from a security standpoint in some of the technologies
listed below.

Those adopting firewalling technologies are aiming at
preventing (read: STOPPING) attacks coming from
one security domain to another (lets say an untrusted
net and a trusted one). The rationale and the "paradigm"
behind firewalls is (or at least I see it as) that, stopping
the attackers, isolations of security domains.

IDS adopters on the other hand have gone a step
further in their assumptions, here the rationale is that
they can NOT stop  all the attacks, sometime somewhere
there will be someone good enough to bypass the poorly
configured firewall so here is ideas is "if I cannot stop them all
at least I will try to be informed as soon as I detect a successful
attack" (think a NIDS on the trusted side of the FW or a HIDS).
So in my opinion adopting IDS technologies imply a conceptual
change in term of what is expected from the firewall technology,
the adopter is giving in to the idea of not being able to
stop all the attacks.

Further down the line, a honeypot/honeynet could be and is
generally  used to LEARN from the attacker. Here the adopter
accepts that her IDS will not detect all attacks, but only those
that are previously known or differ substantially from the
normal user behavior but she will not acquire any substantial
information from the attacker or the techniques employed. Nor
about previously unknown forms of attack. Deploying a honeypot
demonstrates a desire to learn from attackers and perhaps also
to go after them with a more strong case..

Yes, perhaps all the things listed below are one and the same,
after all they are just electrons flowing in a barely ordered way but
I believe that the differences should be presented in terms of
what "implicit" security assumptions are being made when each of
them is used.

jm2p

-ivan

--
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com>
To: <firewall-wizards () nfr net>
<firewall-wizards () honor icsalabs com>
Sent: Monday, August 12, 2002 8:53 PM
Subject: Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any
Other
Name


> Actually:
>         IDS
>         VPN routers
>         honeypots
>         Firewalls
>         URL filters
>         boundary antivirus
>         caching proxies




--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?=
<ivan.arce () corest com>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards