RE: [fw-wiz] Sources for Extranet Designs?

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/23/04

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?" 
    To: "Wes Noonan" <mailinglists@wjnconsulting.com>, "'Baumann, Sean C.'" <Sean.Baumann@celera.com>, "'R. DuFresne'" <dufresne@sysinfo.com>
Date: Mon, 23 Feb 2004 17:08:41 -0500

    Wes Noonan wrote:
    >IPS would be a no brainer for me in this scenario.

    I. Hate. To. Admit. It. But. You. May. Be Right.

    IPS hype aside, and ignoring what the Gartner idiots think,
    there's a conceptual value to the IPS concept. Basically, a
    firewall implements one of 2 policies:
            - Permit
            - Deny

    IPS (i.e.: a signature-based firewall) adds a third option to the
    policy matrix:
            - Permit
            - Deny
            - Permit it as long as it is not obviously abusive (e.g.: signature
                    hasn't fired)

    That's actually kind of cool. It means you can set up a connection
    for your business partner and let the traffic (for the minimum subset of
    services needed, of course!) go through. Then if the business
    partners generate traffic that is abusive or appears abusive you
    have useful information that you can further use to diagnose what
    they are doing. "Hey, mister outsourcer, why are you Nmapping
    my network?"

    Of course since IPS is signature-based you're going to have the
    same kind of issues with false positives as you have with an IDS.
    But, since your business partners (in theory) should be communicating
    with you in a pretty plain vanilla manner, it should work OK.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"

    Relevant Pages

    • Re: Analysing and configuring IPS/IDS Policies
      ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
      (Focus-IDS)
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ...
      (Firewall-Wizards)
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... it merely does string-matchings on the packets alone. ... Network IPS: ... A software shim (firewall) that sits between the kernel and the application. ... deployed deep inside a network. ...
      (Firewall-Wizards)
    • RE: IPS vs Firewall
      ... Might I suggest using the witty worm as an example? ... > to implement an IPS solution. ... > place the IPS outside the firewall, ... of an Ethical Hacker to better assess the security of your organization. ...
      (Security-Basics)
    • Re: IPS vs Firewall
      ... take a look at scmagazine.com and see what expert see in a good ips. ... Subject: IPS vs Firewall ... >> our expert instructors. ... >> hacking lab. ...
      (Security-Basics)