Firewall Wizards mailing list archives
RE: Corporate H/N IPS
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 17 Dec 2002 02:01:27 -0500
David Lang wrote:
4. with a good application proxy firewall it's hard to say 'well, just let everything through for now and we'll tighten it up later'
That's (I think) the real issue. Pure proxy firewalls require someone to understand something about the protocols being gatewayed. Sometimes the process of writing the proxy uncovered horrific flaws in some of the applications being gatewayed - I remember when we were working on the Gauntlet proxy for http, some of the guys discovered truly horrific coding problems in the Mosaic browser - problems so horrifying that we concluded there WAS NO SAFE WAY TO RUN THIS STUFF THROUGH OUR PRODUCT. Of course, the customers gravitated toward the vendor that said "SURE! Just load this rule and it'll let it through!" - blithely assuming that the firewall actually did something more than log the fact that it was being allowed through.. It strikes me as ironic that now proxies are back in the form of XML security engines or "layer 7 firewalls" or other content manipulating security systems. The makers of the packet-screening (be they stateful or otherwise) firewalls really blew an opportunity to expand their product sets by not offering advanced (fast) URL filtering for web servers (thereby cornering off the web server security market) and signature-matching for content on accepted or rejected traffic (thereby choking off the IDS market by subsuming it) - Checkpoint has acted kind of like a university professor that has achieved tenure: they're content to rest on their laurels and keep rehashing the same thing but with just a few more features and better graphics. Meanwhile you have other folks scrambling to solve small slices of the big picture - and trying desperately not to cross checkpoint's sails. When you talk to some of the proponents of "Intrusion Prevention" here's a fun question to ask 'em: "SO, you took your firewall down, then, did you?" They'll look at you funny. "Well, if your IPS really prevents intrusions, you'll not be needing it anymore, right?" It's screamingly funny. :) Heck, I even ask IPS product vendors which firewall product they use to protect their web server and most of 'em have Checkpoints. Proxy firewalls can run really really fast if designed right(*) and could do a lot of stuff that is today relegated to "Inline IDS" and "honeypots" and a bunch of lesser technologies. What amazes me is that none of the firewall vendors moved fast enough and now we have all these point-product solutions yammering for our attention. mjr. (* my first 2 were not designed to be fast, they were designed to be secure. my mistake.) --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Corporate H/N IPS Talisker (Dec 13)
- Re: Corporate H/N IPS Crispin Cowan (Dec 13)
- Re: Corporate H/N IPS Carson Gaspar (Dec 14)
- Re: Corporate H/N IPS Talisker (Dec 14)
- Re: Corporate H/N IPS Crispin Cowan (Dec 14)
- Re: Corporate H/N IPS Fritz Ames (Dec 15)
- RE: Corporate H/N IPS Bill Royds (Dec 15)
- RE: Corporate H/N IPS David Lang (Dec 16)
- Message not available
- RE: Corporate H/N IPS Marcus J. Ranum (Dec 17)
- Re: Corporate H/N IPS Crispin Cowan (Dec 13)
- <Possible follow-ups>
- Re: Corporate H/N IPS Chris Boscolo (Dec 16)
- Re: Corporate H/N IPS Marcus J. Ranum (Dec 17)