RE: IDS vs. IPS deployment feedback

[Devdas Bhagat <devdas () dvb homelinux org>]

On 30/03/06 08:30 -0800, Andrew Plato wrote:
> > If by firewall, you mean a proxy which validates protocols 
> > and is in default deny mode, then you are just wrong.
>
> > If I don't have a proxy for it, I don't let the traffic through works
> just fine.
>
> > An IPS looks at stuff on the wire, decides what is bad, and blocks it.
> > A real firewall looks at stuff on the wire, decides what is good, 
> > and allows it. A real firewall hooks into everything (servers, 
> > network equipment, desktops...).
>
> Proxy firewalls make up a small (and shrinking) percentage of the market
> of firewalls. And having worked with over 500 different companies, my

And that market-share is relevant how? Just because everyone thinks the
world is flat does not make it so.

> experience is that proxy-based firewalls are rarely deployed in the
> manner you describe. The default deny from unknown or unallowed
> protocols is almost ALWAYS turned off because it breaks some important

And that justifies an IPS?

> businesses system that was poorly coded. Furthermore, a proxy validating

Then the right thing to do is to fix the application.

> protocols still cannot stop a lot of exploits. Plenty of exploits live
> quite comfortably inside the RFC-specs for a protocol. And in this case,
> your proxy-firewall would do nothing to stop them. 
Actually, the proxy would know what valid traffic to expect. Regular
expressions are nice if used properly. Plug in a reverse proxy in front
of your webserver and block queries with SQL(ish) content embedded.

If you think that you can run an Internet facing system without knowing
what is on the network, you are just plain wrong.

> Most firewalls have no insight into application-layer content. And most

ITYM packet filters and not firewalls.

> exploits are application-layer exploits. This isn't just some insane
> idea, it's a fact. You can ignore this and tell yourself 10000 times you
> don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls
> are not sufficient protection for most organizations. 

Other than networking stack issues, everything else is an application
layer exploit. Not having a service installed, not running it, staying
patched, using proxies correctly, using well coded software, watching
your logs.....

> > Once you have a firewall in place, you need a system which 
> > analyses logs and traffic which gets through your firewall.
>
> Which is why you sandwich your firewall with a good IPS, so you can see
> what gets through and block it - if necessary.
IDS yes, IPS no. Oh, and good backups.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------