RE: [fw-wiz] Sources for Extranet Designs?

• Previous message: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"
• Maybe in reply to: Baumann, Sean C.: "[fw-wiz] Sources for Extranet Designs?"
• Next in thread: Chris Blask: "RE: [fw-wiz] Sources for Extranet Designs?"
• Reply: Chris Blask: "RE: [fw-wiz] Sources for Extranet Designs?"
• Reply: Ben Nagy: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Marcus J. Ranum" <mjr@ranum.com>, "Wes Noonan" <mailinglists@wjnconsulting.com>, "'Baumann,  Sean C.'" <Sean.Baumann@celera.com>, "'R. DuFresne'" <dufresne@sysinfo.com>
Date: Mon, 23 Feb 2004 17:59:35 -0500 (EST)

Yes indeed IPS is an excellent technology that is slowly maturing. There is still
nothing wrong with the IDS though. Where the problem resides though is in the human
interface to it. A distinct lack of knowledge, and sometimes education if the main
problem when it comes to these technologies. I am however beating a dead horse vis
a vis this in this mailing list. Heh, one of the main gripes I hear is the huge
amount of data to cull through that is generated by an IPS/IDS. Were they up to speed
on how to sift that data using bpf filters/bit masking there would not be a problem :-)

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 23, "Marcus J. Ranum" <mjr@ranum.com> wrote:

Wes Noonan wrote:
>IPS would be a no brainer for me in this scenario.

I. Hate. To. Admit. It. But. You. May. Be Right.

IPS hype aside, and ignoring what the Gartner idiots think,
there's a conceptual value to the IPS concept. Basically, a
firewall implements one of 2 policies:
        - Permit
        - Deny

IPS (i.e.: a signature-based firewall) adds a third option to the
policy matrix:
        - Permit
        - Deny
        - Permit it as long as it is not obviously abusive (e.g.: signature
                hasn't fired)

That's actually kind of cool. It means you can set up a connection
for your business partner and let the traffic (for the minimum subset of
services needed, of course!) go through. Then if the business
partners generate traffic that is abusive or appears abusive you
have useful information that you can further use to diagnose what
they are doing. "Hey, mister outsourcer, why are you Nmapping
my network?"

Of course since IPS is signature-based you're going to have the
same kind of issues with false positives as you have with an IDS.
But, since your business partners (in theory) should be communicating
with you in a pretty plain vanilla manner, it should work OK.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
<a href='http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards'>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"
• Maybe in reply to: Baumann, Sean C.: "[fw-wiz] Sources for Extranet Designs?"
• Next in thread: Chris Blask: "RE: [fw-wiz] Sources for Extranet Designs?"
• Reply: Chris Blask: "RE: [fw-wiz] Sources for Extranet Designs?"
• Reply: Ben Nagy: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]