Re: Firewalls (was Re: IDS evaluations procedures)

[Richard Bejtlich <taosecurity () gmail com>]

On 7/20/05, Nick Black <dank () qemfd net> wrote:
> Richard Bejtlich rigorously showed:
> > In fact, you could argue the IPS is a step backward from a stateful
> > layer 3/4 firewall in that the IPS inverts a proven security model.
> > Good security (implemented on most firewalls) says "allow what policy
> > says is authorized, deny all else."  The IPS model says "deny what
> > policy says is malicious, allow all else."  Marty pointed this out a
> > while ago and it has stayed with me.
>
> This statement seems quite too general -- who is to define the "IPS
> model" as it is implemented in a wide swath of appliances? I can speak
> with some authority regarding our hybridized approach here at Reflex,
> and suggested deployment procedure: the very first activity performed on
> a new install is the same determination of necessary network traffic one
> would codify when preparing a link/network/transport-layer firewall.
> Signature and anomaly-based detection follows this basic {protocol X
> addressing}-based blacklisting (although it can also be applied to data
> already rejected, should a customer wish to spend resources examining
> such).
>
> Your issue seems to be more properly with those who configure IPS
> devices, and perhaps those who write misleading documentation and
> marketing info, than with the "IPS model".

Hi Nick and list,

If someone configures their layer 3/4 firewall to block, say, ports
111 TCP and 445 TCP, and let everything else pass, we would agree that
is a poor deployment model.  People still do this, unfortunately.

If someone configures their layer 7 firewall (aka IPS) to block
traffic identified by signature, anomaly, vulnerability, whatever, and
let everything else pass, now we're discussing the way almost everyone
deploys IPSs.

I have not heard anyone defining and passing "authorized" traffic and
denying everything else via IPS.  In fact, a hot hardware item these
days are inline bypass switches to avoid inline IPSs that fail. 
"Better to keep the traffic flowing than fail closed!" is the
rationale.

I detest the term IPS, as it is a pure marketing term.  It was created
by companies that needed to define a new access control product niche
to compete against the firewall giants of the early 2000s.   (All
defensive measures are trying to prevent intrusions.)

However, I am not disrespecting the technology. Anything which can
make smarter access control decisions is extremely helpful and an
important part of the security arsenal.

Sincerely,

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------