Re: Firewalls (was Re: IDS evaluations procedures)

[Fergus Brooks <fergwa () gmail com>]

Devdas you say:

> An IDS is not an attack prevention mechanism. An IDS is a tool to detect
> when your active attack detection mechanisms have been bypassed. An IDS is
> passive. It tells you what it can see, but it is not supposed to do
> anything to that traffic. Active elements are called firewalls, and
> firewalls include both packet filters and proxies.

Traditionally a firewall is nothing more than a gatekeeper that
permits or denies traffic based on a predefined policy. "Active" in
that it is powered on, but only as intelligent as its featureset
allows for. The ability to monitor state was one of the first of these
more advanced features and now the sky is the limit.

You mention proxies - application-layer firewalls like
Gauntlet/Sidewinder and Raptor/SEF have the ability to look at traffic
in far more detail, in fact they spawn other processes to communicate
with the destination devices, this is more "active," still a firewall
by definition though.

Traditionally your definition of an IDS is correct but in the current
network security market and the amount of high-level salespeak used to
describe the features of IDS, IPS & firewalls, one could be forgiven
for using the generic tag IDS to describe any number of hybrid
detection, analysis and in some case mitigation devices out there.

To give you an example. Symantec bought Axent for their Raptor
Application-layer Proxy Firewall. They bought Recourse for their
Protocol-anomaly IDS, Manhunt. Manhunt, though always described as an
IDS as it does not sit inline in the network, is capable of sending
reset packets to block anomalously or signature-identified traffic in
mitigation. It can also send mitigation information to firewalls and
IPS devices.

To make things more confusing they have integrated the above with
their AV onto their SGS boxes which are all-in-one security
appliances. Fortigate sell one of these as well, Checkpoint are moving
in that direction as well.

My point is that definitions in this space are all over the place, and
I agree those of us who know the difference need to be careful,
however we should be coming up with accurate ways of describing how
things stand today in terms of actual functionality than outdated
(albeit originally correct) definitions.

For example calling something an"NIPS-NIDS-FW-AV-Content
filter-antispam-washes-the-dishes-as-well appliance" is long winded -
anyone have any ideas?

Especially where devices that detect and recommend mitigation
solutions - but do not act themselves, no clear name for this - though
Symantec did have something called Intrusion Prevention Solution which
was a combo of point products working together.

Rgds.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------