Firewall Wizards mailing list archives
Re: FW appliance comparison - Seeking input for the forum
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 18 Jan 2006 15:07:53 -0500
Patrick M. Hausen wrote:
Why would you want a signature based IDS at all? They don't work. Period. Enumerating badness is a silly idea.
Who am I to argue?! But I'd like to comment... There is a value to signatures (and enumerating badness) if your purpose is diagnosis rather than prevention. Like Paul said, if you haven't covered prevention don't even _think_ about detection - but - if you _have_ covered prevention then detection is useful if you want burglar alarms (detection of policy violation) or big picture diagnosis. "You have thrown away 12,000 Code Red attacks" is more readable than "here are 60,000 logged packets that you may want to look at - see attachment."
Develop a policy that explicitely defines every kind of network traffic that is to be allowed to pass your perimeter. Application X using a "propriatary protocol"? Sorry, not allowed.
I'd actually recommend going a step further and have a second policy tier for your internal traffic, enforced at your core. Obviously it might be less restrictive than your perimeter policy, but not necessarily. Every time I hear about some critical network getting a worm infection, I want to scream. There are a few practitioners today going around talking about "compartmenting networks" as if it's a new idea. I'll spare you my powerpoints from 1989 on "service oriented requirements analysis" but they're someplace in my backup disks... Ah. I have an updated version from '95 but the song remains the same: http://www.ranum.com/security/computer_security/archives/requirements-analysis.pdf
Then use a firewall that only passes what is explicitly allowed and raises an alarm for everything that isn't. *Boom* as Steve Jobs would probably put it. Instant heuristic proactive unkown and future attack aware IDS.
Again, I agree 100%; the caveat is that most of the "firewalls" that are out there have only minimal processing going on at Layer 7 and are really very little more than pimped-up routers with a security interface atop a simple state-machine rulesbase. If you pay an extra $60,000 you can get the same pimped-up router with a silicon regex jump-up and some poorly translated snort rules in it. It may not do a lot of security processing, but it's fast!! The original concept of firewalls, back when we were trying to really make them secure, was that they were software devices that enforced correctness at Layer 7 and applied additional policy atop that. For example, the DEC SEAL FTP proxy "understood" FTP bounce attacks (it detected when PORT ip address decoded to a different address than the calling client) and denied them. While that was a legitimate operation in terms of the FTP RFC, basically the author of the firewall (that's me) had decided that the IETF got the protocol wrong, and the firewall wasn't afraid to unilaterally fix it. The Gauntlet SMTP proxy, for example, "understood" only the barest minimum of SMTP necessary to get Email back and forth and rejected everything else. Layered above that were additional sanity checks where the author of the firewall (that's me, again) decided the guys who'd written the RFC had done it wrong. I.e.: the proxy didn't think certain punctuation characters were appropriate in an Email address and if you wanted to be joe-newline () someplace com you could but your Email was not going through the firewall. I actually had a mode that rejected X.400 addresses but nobody thought that was as funny as I did at the time - now everyone appreciates the joke a lot better. Anyhow, in firewalls, the design switched from conservative default deny AT LAYER 7 to default permit. No longer did your HTTP traffic have to look like HTTP - now it could look like *anything* as long as it had a URL in front of it. Thus the firewall became permeable to spyware, SOAP, trojans, etc, etc. Many customers considered this a big step forward. They were wrong. But it's fast! mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FW appliance comparison - Seeking input for the forum, (continued)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 27)
- RE: FW appliance comparison - Seeking input for the forum lordchariot (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Anton Chuvakin (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Greg Spath (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
- RE: FW appliance comparison - Seeking input for the forum Cat Okita (Jan 19)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)