RE: Firewalls Compared

["Ben Nagy" <ben () iagu net>]

Hi, 

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Stiennon,Richard
[...]
> Am I the only one that sees a huge difference between an 
> application proxy (ala the good old days of server based 
> firewalls) and filters that are applied to payloads (ala 
> Network Intrusion Prevention) by inline network devices? 

No. :)

> Let's keep in mind that stateful inspection firewalls are 
> GREAT security devices.[...]

Stuff I agree with snipped.

> Are you 
> going to write application proxies for Exchange? ASN 1? Does 
> anyone other than MSFT even know how these applications 
> communicate? Not.  But, you know what the vulnerability looks 
> like and could look at traffic and identify malicious 
> activity even without signatures. 

OK, but here's the rub - how are you going to identify, without signatures,
what is malicious without understanding the communication in depth? At some
level, the problem will always come down to the same thing. All the vendors
(including us [1]) that do "protocol anomaly detection" have a set of
expected behaviours, and a set of "this type of behaviour is always gonna be
bad" things that will set off alarms. However this technology can just as
easily be applied by a "firewall" when doing "deep inspection", or by a
Network IPS when doing "intelligent heuristic threat identification" or
buzzword equivalent.

Basically, it all gets down to semantics. I will agree, though, that it is
much, much easier to 'redpoint' portions of the communication protocol in
order to enforce rules and stop certain generic attack types without relying
on signatures. Writing a full application proxy is always going to be harder
than that.

Then again, you could do what Gauntlet did and just copy paste the plug
proxy ten times and give it different names, and then apply your "anomaly
detection" to that stream. Voila, you just invented a Deep Inspect-o-Tron
Application Fireweasel.

> The future of network 
> security is all about inspecting traffic. It is not about 
> application proxies. 

A lot of people are probably about to argue that those two things converge
to a limit at which they are functionally equivalent. I'm going to resist
biting on the "future of network security" prognosis - I guess that habit
must get ingrained after a while. ;)

Anyway, I do completely agree that more flexible and accurate techniques are
required to identify and block malicious traffic. Ports and IPs sure aren't
enough, and signatures are a waste of time, given the strong trend towards
zeroday or "effectively" zeroday attacks.

As I've said before, I see a lot of value in better ways to "mitigate
vulnerabilities" especially unknown and non-signature friendly ones - I also
think that the closer you can get to the host the better (to better cover
multiple attack vectors), but we just went there did that discussion a few
weeks ago.

> -Richard Stiennon

Cheers,

ben

[1] Yeah, yeah, disclaimer, I work for eEye, we have a host-based IPS, apply
pinches of salt to taste. Heck, just ignore me completely - but if you
patent a Deep Inspectotron Application Fireweasel then I want 15%.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards