RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

["Bob Walder" <bwalder () spamcop net>]

I think you are on pretty safe ground now with that one, Greg ;o)

12 months might be a little on the ambitious side, but the end result is
inevitable. I wrote the foreword for our IPS report (www.nss.co.uk/ips)
almost a year ago to the day, and it went to press last December,
including the following paragraph:

"So-called "deep inspection firewalls" may be where the industry is
heading in the long term, but they are simply not ready for prime-time
deployments at this point in time. Until they are, security
administrators need to make the best use of the technology that *is*
available, and for now that means a combination of firewalls, in-line
intrusion prevention devices, and intrusion detection systems."

One of the press releases that accompanied the release of the report was
more specific - it talked about the fact that the firewall guys were
busy producing their "deep inspection firewalls" whilst the IDS guys
were busy producing their new "Intrusion Prevention Systems" - both are
imperfect technologies and convergence is inevitable. Who wants to pay
for and manage two devices at the edge of the network? Who wants to
double the number of devices they have to deploy in the core of the
network? 

The only REAL question is who will win the race to product the perfect
integrated device - the firewall guys or the IDS/IPS guys? 

That's where you can stick your neck out ;o)

Regards,

Bob Walder
The NSS Group
www.nss.co.uk





> > -----Original Message-----
> > From: Greg Shipley [mailto:gshipley () neohapsis com] 
> > Sent: 30 August 2004 06:46
> > To: Jacob Winston
> > Cc: focus-ids () securityfocus com
> > Subject: Re: Firewall vs. IPS - Differences now (ISS, 
> > Intrushield 2.1?)
> >
> >
> >
> > On Sun, 16 Aug 2004, Jacob Winston wrote:
> >
> > > Things are getting a little confusing. ISS claims that its 
> > Proventia 
> > > boxes are also firewallas. Intrushield 2.1 has firewall/layer 4 
> > > filtering capabilities now. If the Intrushield box layer 4 
> > acls now 
> > > then what makes it not be equal to a firewall? What does a 
> > firewall do 
> > > that an IPS doesn't as long as the IPS can do layer-4 
> > access lists? 
> > > Any info is apprecaited.
> >
> > (I've been lurking on this list for a while, but I fear that 
> > this one has finally lured me out!  :)
> >
> > Heh - good question.  You aren't alone in asking it, either...
> >
> > Here's a prediction I'll toss out there for all and everyone 
> > can make fun of me if I turn out to be wrong (the joy of 
> > archived email lists!): I think what we know today as a 
> > "Network Intrusion Prevention System" (NIPS) will cease to 
> > exist 12 months from now.  In fact, we're seeing signs of 
> > this shift already.  (ACLs appearing in McAfee's 
> > IntruShield, the Netscreen/OneSecure/Juniper IDP blade that 
> > has been announced for the new Juniper ISG 2000 firewall 
> > platform, etc.)
> >
> > While one can argue the technical and philosophical 
> > differences between the modern day NIPS and firewall, when 
> > you get down to the heart of the matter they are both 
> > network access control devices.  I've always thought the 
> > comparison between NIDS and NIPS was silly, as NIPS devices 
> > are closer to a firewall in function.  Sure, NIPS technology 
> > has a lot of roots from the NIDS world (the signature sets 
> > being one of the biggest parts), but IDS has traditionally 
> > performed a monitoring and compliance function...NOT access 
> > control.  (Different teams in many orgs, too)
> >
> > But there's a historical parallel that might be of interest 
> > to some, too: Years ago this very list was debating the PROs 
> > and CONs of pattern-matching / "packet-grepping" IDS 
> > approaches vs. protocol anomaly ones.  I won't re-hash that 
> > debate (google away!), but the result is that the market 
> > essentially demanded both.  So here we find ourselves in 
> > 2004 with NIDS products that incorporate - surprise surprise 
> > - both pattern-based and protocol anomaly based detection 
> > abilities.  The debate is moot now, as the two worlds 
> > blurred into what we now know as the modern NIDS.
> >
> > So putting my consumer hat on, I find myself wondering why I 
> > would want to pay for a firewall AND a NIPS when IMO, those 
> > functions should be the same device.  Like I need ANOTHER 
> > pair of devices for my HA environment when I've already got 
> > multiple routers, switches, firewalls, load balancers, etc...
> >
> > -------------
> >
> > The question, IMO, isn't whether the NIDS guys all need to 
> > become NIPS guys, but rather, who is going to get there 
> > first: the firewall vendors trying to incorporate high-speed 
> > protocol inspection and pattern matching abilities into 
> > their existing products, or the NIPS guys that are going to 
> > have to tackle the management challenges and traditional 
> > access control functions the firewall world already has?
> >
> > This collision seems inevitable to me, but again, you all 
> > can make fun of me in 12 months if I'm dead wrong!  :)
> >
> > (Incidentally, I suspect Juniper and McAfee have an 
> > advantage here, if for no other reason than they understand 
> > / have advanced experience with hardware acceleration...but 
> > I digress...)
> >
> > So to answer your question: it depends.  *grin* What I would 
> > do is a) decide what you need the device for, b) build your 
> > requirements and criteria list, and c) start looking at 
> > products that can meet those needs and VERIFY those claims.  
> > You might have a NIPS make that list, you might have a 
> > firewall make that list.  Or, if you can wait a little 
> > longer, they might become the same thing.  :)
> >
> > Greetings from Chicago,
> >
> > -Greg