Firewall Wizards mailing list archives
RE: Firewalls Compared
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 29 Jun 2004 17:45:49 +0200
Hi,
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stiennon,Richard
[...]
Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices?
No. :)
Let's keep in mind that stateful inspection firewalls are GREAT security devices.[...]
Stuff I agree with snipped.
Are you going to write application proxies for Exchange? ASN 1? Does anyone other than MSFT even know how these applications communicate? Not. But, you know what the vulnerability looks like and could look at traffic and identify malicious activity even without signatures.
OK, but here's the rub - how are you going to identify, without signatures, what is malicious without understanding the communication in depth? At some level, the problem will always come down to the same thing. All the vendors (including us [1]) that do "protocol anomaly detection" have a set of expected behaviours, and a set of "this type of behaviour is always gonna be bad" things that will set off alarms. However this technology can just as easily be applied by a "firewall" when doing "deep inspection", or by a Network IPS when doing "intelligent heuristic threat identification" or buzzword equivalent. Basically, it all gets down to semantics. I will agree, though, that it is much, much easier to 'redpoint' portions of the communication protocol in order to enforce rules and stop certain generic attack types without relying on signatures. Writing a full application proxy is always going to be harder than that. Then again, you could do what Gauntlet did and just copy paste the plug proxy ten times and give it different names, and then apply your "anomaly detection" to that stream. Voila, you just invented a Deep Inspect-o-Tron Application Fireweasel.
The future of network security is all about inspecting traffic. It is not about application proxies.
A lot of people are probably about to argue that those two things converge to a limit at which they are functionally equivalent. I'm going to resist biting on the "future of network security" prognosis - I guess that habit must get ingrained after a while. ;) Anyway, I do completely agree that more flexible and accurate techniques are required to identify and block malicious traffic. Ports and IPs sure aren't enough, and signatures are a waste of time, given the strong trend towards zeroday or "effectively" zeroday attacks. As I've said before, I see a lot of value in better ways to "mitigate vulnerabilities" especially unknown and non-signature friendly ones - I also think that the closer you can get to the host the better (to better cover multiple attack vectors), but we just went there did that discussion a few weeks ago.
-Richard Stiennon
Cheers, ben [1] Yeah, yeah, disclaimer, I work for eEye, we have a host-based IPS, apply pinches of salt to taste. Heck, just ignore me completely - but if you patent a Deep Inspectotron Application Fireweasel then I want 15%. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls Compared, (continued)
- Re: Firewalls Compared Marcus J. Ranum (Jun 28)
- RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Re: Firewalls Compared Crispin Cowan (Jun 30)
- Message not available
- Re: Firewalls Compared ArkanoiD (Jun 29)
- Message not available
- Re: Firewalls Compared Dave Piscitello (Jun 24)
- RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Message not available
- RE: Firewalls Compared Marcus J. Ranum (Jun 30)