Re: IDS vs Application Proxy Firewall

["\"Zow\" Terry Brugger" <zow () acm org>]

> > Can someone please explain how is an IDS different from an application proxy firewall in terms of what each of them 
> > looks for in a packet.
>
> An application proxy is a non-transparent device working inline at the
> application layer.

Unless it is a transparent application proxy, which is probably
growing a lot faster than the traditional application proxies, as they
don't require reconfiguration of the proxy settings on hundreds or
thousands of machines. BlueCoat is the 800lb gorilla in this space.

> An IDS, assuming that you are talking about a network
> IDS, is a transparent device which works at the network and transport
> layer, usually as a sniffer.

Unless it is an IPS, in which case it either runs in-line and blocks
connections it thinks are suspicious, or it just sniffs, but instructs
some other piece of network equipment (such as a firewall or router)
to drop or block certain connections or IPs.

> Basically, they are as different as two networking devices can be. I see
> no point whatsoever in comparing them.

I don't think the picture is quite so black-or-white.

The difference I'd see is that network IDS/IPS devices typically look
for specific signatures (sequences of bytes, regular expressions,
certain flags set in the headers, etc) on a session (TCP, UDP, ICMP)
or network (IP) level packet. Most can do some degree of session
reassembily, but only in so far as to catch signatures which are
divided across multiple packets. Application proxies, on the other
hand, examine traffic at the application layer. Typically, they
enforce protocol semantics for that application, which prevents
someone from connecting to an IRC server on port 80 (because it's
"always open"). This works because the HTTP proxy now handling port 80
traffic will only talk HTTP, so when the IRC client trys to connect
through it, it won't work. I haven't seen too much in the way of
actual attack detection in application proxies; however, it is the
natural place to look for attacks on a deeper semantic level for a
given application protocol, such as cross-site scripting attacks in
HTML over HTTP. I think the main argument against doing it there is
that it would be expensive, and that's something that can be handled
by the individual browsers.

Hope this helps,
Terry

#include <stddisclaim.h>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------