Snort mailing list archives
RE: Re: [Snort-devel] IDS vs IPS
From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 29 Aug 2003 10:53:16 +0200
When I said policy enforcement I was talking about the corporate security policy, which encompasses the things you mentioned and more - access control is only one part of it. Firewalls are about enforcing that policy Firewalls have indeed evolved several times, mainly to overcome performance issues with the earlier - and still most secure - proxy model. Packet filtering offered us the speed, but was not always terribly secure (or at least was the most difficult to configure effectively in order to make it secure whilst providing the access needed). Stateful inspection firewalls were a good compromise (although even the stateful inspection guys have realised that they still need proxy services for some protocols). The point is moot, since most firewall vendors offer a hybrid product offering a combination of the above models these days. But at no time have commercial firewalls done anything more than the most basic intrusion detection in the way that an IDS or IPS would. IDS and IPS do not really compare to a firewall in anything other than the most general assertion that their overall goal is to alert on/prevent unlawful activity whilst allowing legitimate access (according to the security policy in force at any given time). This is what firewalls are all about. They are designed to prevent certain types of traffic and allow others. But in the traffic that is allowed, there is little or no capability to inspect that traffic for exploit/intrusion evidence and act on it - THAT is the job of IDS (which also provides far superior forensic capabilities). Now, IPS devices as I defined them work in a similar way to IDS (NOT firewalls - they don't have proxy services and don't do an awful lot of stuff that firewalls can do) but they work in line - only in THIS respect are they similar to firewalls. There is some overlap between IPS and firewalls (as there is between IPS and IDS). There is some similarity in the mode of deployment between IPS and firewalls (two or more interfaces, operating in-line). But the evolutionary path is clearly from IDS. Actually, what difference does it make? I'm no longer sure why I am arguing this point.... As I said in my earlier e-mail, buy the technology that suits your requirements, whatever the marketing guys want to call it. Regards, Bob Walder
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Sent: 29 August 2003 06:14 To: bwalder () spamcop net Cc: 'Frank Knobbe'; 'Mark Teicher'; 'Jeff Nathan'; Vkmobile () aol com; snort-users () lists sourceforge net; snort-devel () lists sourceforge net Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS I disagree with the statement that firewalls are about policy enforcement. Traditional firewalls are about access control, this access control can be used for policy enforcement or it can be validation or it can be any number of other things. The firewall has evolved and splintered several times. There are packet filtering firewalls, stateful firewalls, proxy based firewalls, and now what I would call inspection firewalls. Within each segment you have additional capabilities. There is mixing and matching of these capabilities all over the place and the better players in the market already do all of these functions to some degree. Policy enforcement is but a little piece of the firewall picture. Because of this I still assert that the new IPS is the natural evolution of these capabilities and that the better suited players are the software based products that are free to adapt without changing hardware and developing new platforms. Simply put I think it is a lot easier for a software based solution to adapt to the case where the reward overcomes the risk. A few of the new vendors were mentioned as being positioned well for this change, I would ask why then is the positioning for those products buy now and you will already have it when it is ready for prime time? I would rather spend that capital elsewhere and wait the same amount of time for my existing firewalls to be ready. Bob Walder wrote:One important distinction Firewalls are about policy enforcement - IDS and IPS are about detection (as of THIS moment in time)------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/sno>> rt-usersSnort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS, (continued)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
- Re: Re: [Snort-devel] IDS vs IPS Gary Flynn (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Georges J. Jahchan, Eng. (Aug 29)
- Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)