IDS mailing list archives
RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
From: "Bob Walder" <bwalder () spamcop net>
Date: Mon, 30 Aug 2004 23:27:24 +0200
I think you are on pretty safe ground now with that one, Greg ;o) 12 months might be a little on the ambitious side, but the end result is inevitable. I wrote the foreword for our IPS report (www.nss.co.uk/ips) almost a year ago to the day, and it went to press last December, including the following paragraph: "So-called "deep inspection firewalls" may be where the industry is heading in the long term, but they are simply not ready for prime-time deployments at this point in time. Until they are, security administrators need to make the best use of the technology that *is* available, and for now that means a combination of firewalls, in-line intrusion prevention devices, and intrusion detection systems." One of the press releases that accompanied the release of the report was more specific - it talked about the fact that the firewall guys were busy producing their "deep inspection firewalls" whilst the IDS guys were busy producing their new "Intrusion Prevention Systems" - both are imperfect technologies and convergence is inevitable. Who wants to pay for and manage two devices at the edge of the network? Who wants to double the number of devices they have to deploy in the core of the network? The only REAL question is who will win the race to product the perfect integrated device - the firewall guys or the IDS/IPS guys? That's where you can stick your neck out ;o) Regards, Bob Walder The NSS Group www.nss.co.uk
-----Original Message----- From: Greg Shipley [mailto:gshipley () neohapsis com] Sent: 30 August 2004 06:46 To: Jacob Winston Cc: focus-ids () securityfocus com Subject: Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) On Sun, 16 Aug 2004, Jacob Winston wrote:Things are getting a little confusing. ISS claims that itsProventiaboxes are also firewallas. Intrushield 2.1 has firewall/layer 4 filtering capabilities now. If the Intrushield box layer 4acls nowthen what makes it not be equal to a firewall? What does afirewall dothat an IPS doesn't as long as the IPS can do layer-4access lists?Any info is apprecaited.(I've been lurking on this list for a while, but I fear that this one has finally lured me out! :) Heh - good question. You aren't alone in asking it, either... Here's a prediction I'll toss out there for all and everyone can make fun of me if I turn out to be wrong (the joy of archived email lists!): I think what we know today as a "Network Intrusion Prevention System" (NIPS) will cease to exist 12 months from now. In fact, we're seeing signs of this shift already. (ACLs appearing in McAfee's IntruShield, the Netscreen/OneSecure/Juniper IDP blade that has been announced for the new Juniper ISG 2000 firewall platform, etc.) While one can argue the technical and philosophical differences between the modern day NIPS and firewall, when you get down to the heart of the matter they are both network access control devices. I've always thought the comparison between NIDS and NIPS was silly, as NIPS devices are closer to a firewall in function. Sure, NIPS technology has a lot of roots from the NIDS world (the signature sets being one of the biggest parts), but IDS has traditionally performed a monitoring and compliance function...NOT access control. (Different teams in many orgs, too) But there's a historical parallel that might be of interest to some, too: Years ago this very list was debating the PROs and CONs of pattern-matching / "packet-grepping" IDS approaches vs. protocol anomaly ones. I won't re-hash that debate (google away!), but the result is that the market essentially demanded both. So here we find ourselves in 2004 with NIDS products that incorporate - surprise surprise - both pattern-based and protocol anomaly based detection abilities. The debate is moot now, as the two worlds blurred into what we now know as the modern NIDS. So putting my consumer hat on, I find myself wondering why I would want to pay for a firewall AND a NIPS when IMO, those functions should be the same device. Like I need ANOTHER pair of devices for my HA environment when I've already got multiple routers, switches, firewalls, load balancers, etc... ------------- The question, IMO, isn't whether the NIDS guys all need to become NIPS guys, but rather, who is going to get there first: the firewall vendors trying to incorporate high-speed protocol inspection and pattern matching abilities into their existing products, or the NIPS guys that are going to have to tackle the management challenges and traditional access control functions the firewall world already has? This collision seems inevitable to me, but again, you all can make fun of me in 12 months if I'm dead wrong! :) (Incidentally, I suspect Juniper and McAfee have an advantage here, if for no other reason than they understand / have advanced experience with hardware acceleration...but I digress...) So to answer your question: it depends. *grin* What I would do is a) decide what you need the device for, b) build your requirements and criteria list, and c) start looking at products that can meet those needs and VERIFY those claims. You might have a NIPS make that list, you might have a firewall make that list. Or, if you can wait a little longer, they might become the same thing. :) Greetings from Chicago, -Greg
Current thread:
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?), (continued)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Joel Snyder (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 29)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Joel Snyder (Aug 20)