IDS mailing list archives
Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
From: Greg Shipley <gshipley () neohapsis com>
Date: Sun, 29 Aug 2004 23:45:56 -0500 (CDT)
On Sun, 16 Aug 2004, Jacob Winston wrote:
Things are getting a little confusing. ISS claims that its Proventia boxes are also firewallas. Intrushield 2.1 has firewall/layer 4 filtering capabilities now. If the Intrushield box layer 4 acls now then what makes it not be equal to a firewall? What does a firewall do that an IPS doesn't as long as the IPS can do layer-4 access lists? Any info is apprecaited.
(I've been lurking on this list for a while, but I fear that this one has finally lured me out! :) Heh - good question. You aren't alone in asking it, either... Here's a prediction I'll toss out there for all and everyone can make fun of me if I turn out to be wrong (the joy of archived email lists!): I think what we know today as a "Network Intrusion Prevention System" (NIPS) will cease to exist 12 months from now. In fact, we're seeing signs of this shift already. (ACLs appearing in McAfee's IntruShield, the Netscreen/OneSecure/Juniper IDP blade that has been announced for the new Juniper ISG 2000 firewall platform, etc.) While one can argue the technical and philosophical differences between the modern day NIPS and firewall, when you get down to the heart of the matter they are both network access control devices. I've always thought the comparison between NIDS and NIPS was silly, as NIPS devices are closer to a firewall in function. Sure, NIPS technology has a lot of roots from the NIDS world (the signature sets being one of the biggest parts), but IDS has traditionally performed a monitoring and compliance function...NOT access control. (Different teams in many orgs, too) But there's a historical parallel that might be of interest to some, too: Years ago this very list was debating the PROs and CONs of pattern-matching / "packet-grepping" IDS approaches vs. protocol anomaly ones. I won't re-hash that debate (google away!), but the result is that the market essentially demanded both. So here we find ourselves in 2004 with NIDS products that incorporate - surprise surprise - both pattern-based and protocol anomaly based detection abilities. The debate is moot now, as the two worlds blurred into what we now know as the modern NIDS. So putting my consumer hat on, I find myself wondering why I would want to pay for a firewall AND a NIPS when IMO, those functions should be the same device. Like I need ANOTHER pair of devices for my HA environment when I've already got multiple routers, switches, firewalls, load balancers, etc... ------------- The question, IMO, isn't whether the NIDS guys all need to become NIPS guys, but rather, who is going to get there first: the firewall vendors trying to incorporate high-speed protocol inspection and pattern matching abilities into their existing products, or the NIPS guys that are going to have to tackle the management challenges and traditional access control functions the firewall world already has? This collision seems inevitable to me, but again, you all can make fun of me in 12 months if I'm dead wrong! :) (Incidentally, I suspect Juniper and McAfee have an advantage here, if for no other reason than they understand / have advanced experience with hardware acceleration...but I digress...) So to answer your question: it depends. *grin* What I would do is a) decide what you need the device for, b) build your requirements and criteria list, and c) start looking at products that can meet those needs and VERIFY those claims. You might have a NIPS make that list, you might have a firewall make that list. Or, if you can wait a little longer, they might become the same thing. :) Greetings from Chicago, -Greg
Current thread:
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?), (continued)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Rob Shein (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) M. Dodge Mumford (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Shaiful (Aug 24)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) M. Dodge Mumford (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Srini (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Joel Snyder (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 29)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Rob Shein (Aug 20)