RE: Terminology: Inline IDS, IPS and Application Layer Firewall

["Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>]

Andreas,

An inline IDS is still an IDS and has limited if any capability to
actually prevent the intrusions that it detects. Contrast this with an
IPS which typically has more extensive capabilities to prevent
intrusions. Many inline IPS systems can be successfully deployed as an
inline IDS. However, an inline IDS would typically make an
unsatisfactory IPS.

An application layer firewall (forgive me if you already know this)
would look at the network traffic as a series of transactions and allow
you to control which transactions are allowed based upon a set of rules
that you define. Whereas a layer 3/4 firewall would allow you to specify
rules in terms of IP address and TCP/UDP ports, an application layer
firewall would allow you to specify terms such as URL for HTTP traffic
in addition to the layer 3/4 terms for example. That is, you could
control access to individual URLs if your application layer firewall
were HTTP-aware.

Conceptually, the application layer firewall provides you tools to use
your knowledge of normal, acceptable traffic on your network to limit
your risk from potentially unknown attacks. Whereas, the typical IPS
provides you tools to use the vendor's knowledge of known (or
predictable) attacks to limit the risk to the potentially unknown
traffic and assets on your network. As such, the two technologies are
complementary and there is often some level of crossover in the
product-spaces. That is, application level firewalls may include some
limited IPS capability. IPS products may include some application level
firewall capabilities.

I hope this helps,
Paul

-----Original Message-----
From: Andreas Hess [mailto:hess () tkn tu-berlin de] 
Sent: Friday, February 24, 2006 5:29 AM
To: focus-ids () securityfocus com
Subject: Terminology: Inline IDS, IPS and Application Layer Firewall


Hi,
I wonder if there are any conceptual differences between:
- inline IDSs,
- IPS and
- Application Layer Firewalls

Or are this just three terms that mean the same?
To my understanding all three concepts do access control up to the  
application layer and in addition, they all have a certain impact on  
the network performance as all packets are routed through them.

Regards
Andreas



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------