Firewall Wizards mailing list archives
RE: Sources for Extranet Designs?
From: Chris Blask <chris () protegonetworks com>
Date: Tue, 24 Feb 2004 05:38:54 -0800 (PST)
Quoting Don Parker <dparker () rigelksecurity com>:
Yes indeed IPS is an excellent technology that is slowly maturing. There is
still nothing wrong with the IDS though. Where the problem resides though is in the human interface to it. A distinct lack of knowledge, and sometimes education if the main problem when it comes to these technologies. I am however beating a dead horse vis a vis this in this mailing list. Heh, one of the main gripes I hear is the huge amount of data to cull through that is generated by an IPS/IDS. Were they up to speed on how to sift that data using bpf filters/bit masking there would not be a problem :-) The human interface is the entire problem, and if you set the level of expertise found in the human at the lowest point found on the distribution chart of network operators you get a view of the shape of the solution... IPS is fine, but it seems to me to simply be an evolution of the firewall as opposed to anything particularly new. The two questions are: o Do network owners want to have yet another shell of perimeter security (and do they want it from another new vendor with it's own logistic infrastructure)? o If you made IPS devices, it would be good so soak up info from all of the other vendors. But if you compete with those other vendors, why would they help you do it better? IDS is all goodness, but what to do with the output? -chris
Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 23, "Marcus J. Ranum" <mjr () ranum com> wrote: Wes Noonan wrote:IPS would be a no brainer for me in this scenario.I. Hate. To. Admit. It. But. You. May. Be Right. IPS hype aside, and ignoring what the Gartner idiots think, there's a conceptual value to the IPS concept. Basically, a firewall implements one of 2 policies: - Permit - Deny IPS (i.e.: a signature-based firewall) adds a third option to the policy matrix: - Permit - Deny - Permit it as long as it is not obviously abusive (e.g.: signature hasn't fired) That's actually kind of cool. It means you can set up a connection for your business partner and let the traffic (for the minimum subset of services needed, of course!) go through. Then if the business partners generate traffic that is abusive or appears abusive you have useful information that you can further use to diagnose what they are doing. "Hey, mister outsourcer, why are you Nmapping my network?" Of course since IPS is signature-based you're going to have the same kind of issues with false positives as you have with an IDS. But, since your business partners (in theory) should be communicating with you in a pretty plain vanilla manner, it should work OK. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com <a href='http://honor.icsalabs.com/mailman/listinfo/firewall- wizards'>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards</a> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Chris Blask Vice President, Business Development Protego Networks Inc. (1) 416 358 9885 - Direct (1) 408 262 5220 - HQ (1) 408 262 5280 - Fax blask () protegonetworks com www.protegonetworks.com "The first purpose-built appliance for Real-Time Security Threat Mitigation" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Sources for Extranet Designs?, (continued)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Plumbers... was Re: Sources for Extranet Designs? Gary Flynn (Feb 24)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Jim Seymour (Feb 23)
- RE: Sources for Extranet Designs? Chris Blask (Feb 24)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christian Kreibich (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Bennett Todd (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Frederick M Avolio (Feb 26)