Re: IPS (was: [fw-wiz] Sources for Extranet Designs?)

From: Bennett Todd (
Date: 02/26/04

  • Next message: Marcus J. Ranum: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
    Date: Thu, 26 Feb 2004 16:31:08 -0500

    I'll take a swing at the definition.

    First off, sure, it's a lot of marketing blither.

    But so far the gizmos I've seen marketed as IPS are signature-based
    Intrusion Detection Systems (IDSes) garnished with some mechanism
    for blocking the traffic. Passthrough devices, that act like routers
    or bridges and refuse to pass packets that match sigs are a common
    pattern, there are others.

    I used to think the class of device "IPS" was completely useless.

    It's a subset of "firewall", under the definition (mjr's?) "a
    control system installed at a network choke point, commonly between
    nets with different security stances, to provide traffic control
    and/or monitoring".

    For most purposes, they're weak firewalls. A strong firewall refuses
    to pass prohibited traffic. An IPS has to get lucky.

    But recently I've come to realize that in some really really nasty
    situations, where an unchangeable external policy forces you to
    permit dangerous traffic to transit a traditional firewall, an IPS
    can be a valuable additional layer of defense. The classic situation
    seems to be, you can neither outlaw use of poorly-designed client
    apps, nor impose sufficiently draconian content type blocking to
    prevent them from providing a gateway of attack. For email, the
    traditional band-aid is a signature-based virus-scanner. For http
    there are some proxies that can do deep content analysis. But for
    all the zillions of other nightmares sprouting like mushrooms from
    the brainpans of irresponsible programmers (instant messaging,
    distributed collaboration apps, ...) an IPS can provide a somewhat
    protocol-generic engine that stands a chance of spotting signatures
    of common attack bases --- trampoline code, specific exploit code
    fragments, etc. --- for protocols for which you don't have a robust
    application-level proxy with suitable controls and analysis.

    So I still don't like 'em much, for most settings, but there do seem
    to be occasions when they can add value. Very unpleasant occasions.



    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"

    Relevant Pages

    • Re: Analysing and configuring IPS/IDS Policies
      ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ...
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... it merely does string-matchings on the packets alone. ... Network IPS: ... A software shim (firewall) that sits between the kernel and the application. ... deployed deep inside a network. ...
    • RE: IPS vs Firewall
      ... Might I suggest using the witty worm as an example? ... > to implement an IPS solution. ... > place the IPS outside the firewall, ... of an Ethical Hacker to better assess the security of your organization. ...
    • Re: IPS, alternative solutions
      ... >> the best use case I have seen for IPS. ... > One of the spots where an IPS beats a firewall hands down is on the ... Which is broken behaviour in the name of security. ... should be a combination of packet filters and proxies anyway). ...