RE: Corporate H/N IPS

["Marcus J. Ranum" <mjr () ranum com>]

David Lang wrote:
> 4. with a good application proxy firewall it's hard to say 'well, just let
> everything through for now and we'll tighten it up later'

That's (I think) the real issue. Pure proxy firewalls require someone
to understand something about the protocols being gatewayed. Sometimes
the process of writing the proxy uncovered horrific flaws in some of
the applications being gatewayed - I remember when we were working on
the Gauntlet proxy for http, some of the guys discovered truly
horrific coding problems in the Mosaic browser - problems so horrifying
that we concluded there WAS NO SAFE WAY TO RUN THIS STUFF THROUGH OUR
PRODUCT. Of course, the customers gravitated toward the vendor that
said "SURE! Just load this rule and it'll let it through!" - blithely
assuming that the firewall actually did something more than log
the fact that it was being allowed through..

It strikes me as ironic that now proxies are back in the form of
XML security engines or "layer 7 firewalls" or other content
manipulating security systems. The makers of the packet-screening
(be they stateful or otherwise) firewalls really blew an opportunity
to expand their product sets by not offering advanced (fast)
URL filtering for web servers (thereby cornering off the web
server security market) and signature-matching for content on
accepted or rejected traffic (thereby choking off the IDS market
by subsuming it) - Checkpoint has acted kind of like a university
professor that has achieved tenure: they're content to rest on
their laurels and keep rehashing the same thing but with just a
few more features and better graphics. Meanwhile you have other
folks scrambling to solve small slices of the big picture - and
trying desperately not to cross checkpoint's sails.

When you talk to some of the proponents of "Intrusion Prevention"
here's a fun question to ask 'em:  "SO, you took your firewall down,
then, did you?"  They'll look at you funny.  "Well, if your IPS
really prevents intrusions, you'll not be needing it anymore, right?"
It's screamingly funny. :) Heck, I even ask IPS product vendors
which firewall product they use to protect their web server and
most of 'em have Checkpoints.

Proxy firewalls can run really really fast if designed right(*)
and could do a lot of stuff that is today relegated to "Inline
IDS" and "honeypots" and a bunch of lesser technologies. What
amazes me is that none of the firewall vendors moved fast enough
and now we have all these point-product solutions yammering for
our attention.

mjr.
(* my first 2 were not designed to be fast, they were designed
to be secure. my mistake.) 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards