RE: IPS (was: Sources for Extranet Designs?)

["Stiennon,Richard" <Richard.Stiennon () gartner com>]

Here are the definitions I am working with:

Network IPS:

An inline device that assembles  packets into streams or sessions and parses them.
Multiple methodologies to determine malicious intent. Usually includes signature, protocol anomaly, behavior and flow 
capabilities. 
The ability to drop sessions associated with attacks. Note, this is dramatically different than a firewall that can 
close *connections* based on source-destination-port. 

Definitions are often helped out by a set of reference vendors. In my mind, Tippingpoint, TopLayer, Radware, NAI 
Intrushield, Netscreen IDP, Reflex Security and even Checkpoint Intrespect all fit this definition. 

Host IPS:

A software shim (firewall) that sits between the kernel and the application. System calls are intercepted and blocked 
if they are outside the "allow" policy.  Much simpler space with only three vendors, Cisco Secure Agent (was Okena), 
NAI Entercept, and Sana Security.  A start up called Araksha is also looking at this space but they go much deeper into 
the application at run time. 


The firewall vendors are excited by IPS because it is a product that can be deployed deep inside a network. Initial 
traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on 
"academic freedom".  Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file 
sharing) at universities. 

Best,

-Richard Stiennon
 

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Ben Nagy
Sent: Thursday, February 26, 2004 9:06 AM
To: firewall-wizards () honor icsalabs com
Subject: RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)


Can I just jump in and ask what _exactly_ people think "IPS" means? I know
I'm asking for a definition debate and we've all seen a bunch of those over
the years, but I'm concerned that the "buzzword" factor has lead to
compression in terms of vocab.

I don't see the basic "attach an IDS to a firewall and have the firewall do
stuff based on signatures" concept as amazingly useful (my personal
opinion). However lots of companies are producing stuff which they are also
calling IPS (us included; consider that a disclaimer).

Intrusion Prevention can be done at a number of places

1. The Firewall
2. The Network (inline IPS lives here)
3. The Host (cross platform issues here!)
- 3a. The Host Network level (TDI or driver stuff, where the current PFWs
live)
- 3b. The Host Kernel / Memory Mangement level (systrace, pax, and their
windows friends)

Of those places, we can work on

1. Attack Signatures (easy to evade, prone to false positives, reactive)
2. Anomaly detection (statistical stuff, less configuration, foolable)
3. Rule Based (hard to program, slower, better suited to a host model)
4. Traffic / rate based.

There is a lot of technical depth to the pros and cons of each approach [1].
My own opinion is that the problem of malware, worms and the newer attack
vectors (VPN, wireless, laptops etc) pretty much makes it pointless to focus
too much on FW based IPS. 

Basically, firewalls are perimeter based, have huge problems coping with
threats that are above the network level, and it's always going to be hard
work to stretch their capacities. Witness the profound marketing and
technical failure of the proxy firewall, for example. (ok, maybe that sounds
like a troll. ;)

However, even the crappiest personal firewall has a reasonable chance to
contain malware by using application firewalling (this app can bind ports
this one can't). The ways that is being approached today is pretty
primitive, and there is a lot of work to do - yes - but it's a start. I see
future potentiallllllll in an anomaly based approach which can really step
in at the network level - buuut...

Anyways, I'll restrict the rant, but the point is that it's an overused
term, it's Gartnerised, but it's genuinely interesting. I'd love to hear
some of your opinions about the viability of the various approaches -
because it's fairly clear that we need _some_ new approach.

ben

[1] European readers with too much time on their hands could come and hear
me waffle about this at Infosecurity Europe. Those of you out there who know
more about this than I do are welcome to clue me up in advance. ;)

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Don Parker
> Sent: Tuesday, February 24, 2004 12:00 AM
> To: Marcus J. Ranum; Wes Noonan; 'Baumann, Sean C.'; 'R. DuFresne'
> Cc: 'Paul Robertson'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Sources for Extranet Designs?
>
> Yes indeed IPS is an excellent technology that is slowly 
> maturing. There is still nothing wrong with the IDS though. 
[...]
> On Feb 23, "Marcus J. Ranum" <mjr () ranum com> wrote:
>
> Wes Noonan wrote:
> > IPS would be a no brainer for me in this scenario.
>
> I. Hate. To. Admit. It. But. You. May. Be Right.
>
> IPS hype aside, and ignoring what the Gartner idiots think, 
> there's a conceptual value to the IPS concept. Basically, a 
> firewall implements one of 2 policies:
>         - Permit
>         - Deny
>
> IPS (i.e.: a signature-based firewall) adds a third option to 
> the policy matrix:
>         - Permit
>         - Deny
>         - Permit it as long as it is not obviously abusive 
> (e.g.: signature
>                 hasn't fired)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards