Re: [fw-wiz] Corporate H/N IPS

From: Marcus J. Ranum (mjr@ranum.com)
Date: 12/17/02 

To: Chris Boscolo <Chris.Boscolo@watchguard.com>, firewall-wizards@honor.icsalabs.com
From: "Marcus J. Ranum" <mjr@ranum.com>
Date: Tue Dec 17 08:16:47 2002

Chris Boscolo wrote:
>Getting back to the original thread, "what Marketing people are calling IPS
>is just a repackaging of application proxy Firewalls", there is no question
>that there are great similarities between the two. It should be noted that
>from a packet-flow perspective there is actually a big difference between
>application proxy-based firewalls and IPS that are based on NIDS systems
>that do TCP reassembly.

Nah, that's just an implementation detail. TCP reassembly and IP
state tracking happen in decent IDS or decent proxy firewalls.
The early proxy firewalls used the host systems' IP stack to
implement TCP (after all, it's a perfectly good stack, why not
use it...?) but they could have just as easily done the IP in
userland in which case they'd look just like a NID. Honeyd actually
does something pretty close to exactly that. You could make a
proxy firewall where the proxies ran in kernel mode - heck, you
could attach the proxy state right into the IP stack if you
wanted to, but IP stacks as you point out don't handle gazillions
of connections really well. But fundamentally, state tracking
and TCP reassembly are a function that needs to happen to "do
it right" - where it happens doesn't make much difference, as
long as it happens low enough in the stack to protect the
host system itself.

mjr. 

---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjr@ranum.com