IDS mailing list archives
Re: Firewalls (was Re: IDS evaluations procedures)
From: Fergus Brooks <fergwa () gmail com>
Date: Tue, 19 Jul 2005 13:55:38 +0800
Devdas you say:
An IDS is not an attack prevention mechanism. An IDS is a tool to detect when your active attack detection mechanisms have been bypassed. An IDS is passive. It tells you what it can see, but it is not supposed to do anything to that traffic. Active elements are called firewalls, and firewalls include both packet filters and proxies.
Traditionally a firewall is nothing more than a gatekeeper that permits or denies traffic based on a predefined policy. "Active" in that it is powered on, but only as intelligent as its featureset allows for. The ability to monitor state was one of the first of these more advanced features and now the sky is the limit. You mention proxies - application-layer firewalls like Gauntlet/Sidewinder and Raptor/SEF have the ability to look at traffic in far more detail, in fact they spawn other processes to communicate with the destination devices, this is more "active," still a firewall by definition though. Traditionally your definition of an IDS is correct but in the current network security market and the amount of high-level salespeak used to describe the features of IDS, IPS & firewalls, one could be forgiven for using the generic tag IDS to describe any number of hybrid detection, analysis and in some case mitigation devices out there. To give you an example. Symantec bought Axent for their Raptor Application-layer Proxy Firewall. They bought Recourse for their Protocol-anomaly IDS, Manhunt. Manhunt, though always described as an IDS as it does not sit inline in the network, is capable of sending reset packets to block anomalously or signature-identified traffic in mitigation. It can also send mitigation information to firewalls and IPS devices. To make things more confusing they have integrated the above with their AV onto their SGS boxes which are all-in-one security appliances. Fortigate sell one of these as well, Checkpoint are moving in that direction as well. My point is that definitions in this space are all over the place, and I agree those of us who know the difference need to be careful, however we should be coming up with accurate ways of describing how things stand today in terms of actual functionality than outdated (albeit originally correct) definitions. For example calling something an"NIPS-NIDS-FW-AV-Content filter-antispam-washes-the-dishes-as-well appliance" is long winded - anyone have any ideas? Especially where devices that detect and recommend mitigation solutions - but do not act themselves, no clear name for this - though Symantec did have something called Intrusion Prevention Solution which was a combo of point products working together. Rgds. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS evaluations procedures, (continued)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: IDS evaluations procedures Jason (Jul 18)
- RE: IDS evaluations procedures Frank Knobbe (Jul 22)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 21)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 22)