Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

[Greg Shipley <gshipley () neohapsis com>]

On Sun, 16 Aug 2004, Jacob Winston wrote:

> Things are getting a little confusing. ISS claims that its Proventia
> boxes are also firewallas. Intrushield 2.1 has firewall/layer 4
> filtering capabilities now. If the Intrushield box layer 4 acls now then
> what makes it not be equal to a firewall? What does a firewall do that
> an IPS doesn't as long as the IPS can do layer-4 access lists? Any info
> is apprecaited.

(I've been lurking on this list for a while, but I fear that this one has
finally lured me out!  :)

Heh - good question.  You aren't alone in asking it, either...

Here's a prediction I'll toss out there for all and everyone can make fun
of me if I turn out to be wrong (the joy of archived email lists!): I
think what we know today as a "Network Intrusion Prevention System" (NIPS)
will cease to exist 12 months from now.  In fact, we're seeing signs of
this shift already.  (ACLs appearing in McAfee's IntruShield, the
Netscreen/OneSecure/Juniper IDP blade that has been announced for the new
Juniper ISG 2000 firewall platform, etc.)

While one can argue the technical and philosophical differences between
the modern day NIPS and firewall, when you get down to the heart of the
matter they are both network access control devices.  I've always thought
the comparison between NIDS and NIPS was silly, as NIPS devices are closer
to a firewall in function.  Sure, NIPS technology has a lot of roots from
the NIDS world (the signature sets being one of the biggest parts), but
IDS has traditionally performed a monitoring and compliance function...NOT
access control.  (Different teams in many orgs, too)

But there's a historical parallel that might be of interest to some, too:
Years ago this very list was debating the PROs and CONs of
pattern-matching / "packet-grepping" IDS approaches vs. protocol anomaly
ones.  I won't re-hash that debate (google away!), but the result is that
the market essentially demanded both.  So here we find ourselves in 2004
with NIDS products that incorporate - surprise surprise - both
pattern-based and protocol anomaly based detection abilities.  The debate
is moot now, as the two worlds blurred into what we now know as the
modern NIDS.

So putting my consumer hat on, I find myself wondering why I would want to
pay for a firewall AND a NIPS when IMO, those functions should be the same
device.  Like I need ANOTHER pair of devices for my HA environment when
I've already got multiple routers, switches, firewalls, load balancers,
etc...

-------------

The question, IMO, isn't whether the NIDS guys all need to become NIPS
guys, but rather, who is going to get there first: the firewall vendors
trying to incorporate high-speed protocol inspection and pattern matching
abilities into their existing products, or the NIPS guys that are going to
have to tackle the management challenges and traditional access control
functions the firewall world already has?

This collision seems inevitable to me, but again, you all can make fun of
me in 12 months if I'm dead wrong!  :)

(Incidentally, I suspect Juniper and McAfee have an advantage here, if for
no other reason than they understand / have advanced experience with
hardware acceleration...but I digress...)

So to answer your question: it depends.  *grin* What I would do is a)
decide what you need the device for, b) build your requirements and
criteria list, and c) start looking at products that can meet those needs
and VERIFY those claims.  You might have a NIPS make that list, you might
have a firewall make that list.  Or, if you can wait a little longer, they
might become the same thing.  :)

Greetings from Chicago,

-Greg