RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/26/04

  • Next message: Marcus J. Ranum: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
    To: "Stiennon,Richard" <Richard.Stiennon@gartner.com>, "Ben Nagy" <ben@iagu.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 26 Feb 2004 17:00:00 -0500
    
    

    Stiennon,Richard wrote:
    >Network IPS:
    >An inline device that assembles packets into streams or sessions and parses them.

    So far, that's a "firewall" - the first firewalls did all that inherently since they
    were proxies. The second-generation firewalls with "transparent proxies"
    did the same thing but with less impact on the user experience. It was the
    third-generation "network layer" firewalls (pix, Checkpoint) that stepped
    away from full stream reassembly and termination and switched to "stateful
    inspection" - which was actually less stateful than a proxy (at both TCP
    and layer 7) but you gotta hand it to those CheckPoint marketing guys.
    They really earned their stock options with that one...

    >Multiple methodologies to determine malicious intent. Usually includes signature, protocol anomaly, behavior and flow capabilities.

    Many first generation proxy firewalls did this, too. DEC SEAL had a rate
    limiter feature that would saw off a connection that attempted to tunnel
    outgoing traffic over an FTP command stream or TELNET session. Protocol
    anomaly detection was inherent in most if not all of the early proxy
    firewalls. I know SEAL and Gauntlet both did exhaustive checks for
    protocol errors and violation attempts in SMTP, HTTP, and FTP. You
    can call 'em "signatures" or "protcol anomaly" but I can tell you that
    Gauntlet and SEAL each did several dozen checks for malicious
    intent. Dozens of signatures is low by today's marketing numbers
    but we're talking starting this in 1991.

    >The ability to drop sessions associated with attacks. Note, this is dramatically different than a firewall that can close *connections* based on source-destination-port.

    No it's not!!!!

    At least DEC SEAL, Tis Gauntlet, MilkyWay BlackHole, Raptor Eagle,
    Secure Computing Sidewinder, and Harris Cyberguard all had these
    capabilities - some as early as 1991 and all of them by 1994. What did
    these devices have in common? They were all - firewalls.

    Sounds like you've defined "Intrusion Prevention" as a "first generation
    proxy firewall" OK, OK, I'm just jerking your chain. Intrusion Prevention
    CAN'T be something as simple and stupid and ancient as a firewall
    that detects and closes sessions based on application layer attack
    detection. That's not sexy, is it? And sexing up and hyping stuff is
    your job, isn't it? Those startups' marketing departments aren't
    gonna pay Gartner big bucks to put them on the proxy firewall
    magic quadrant, are they?

    >Definitions are often helped out by a set of reference vendors. In my mind, Tippingpoint, TopLayer, Radware, NAI Intrushield, Netscreen IDP, Reflex Security and even Checkpoint Intrespect all fit this definition.

    In terms of your "definition" probably 90% of the firewall products that have
    ever been on the market are IPS.

    >Host IPS:
    >
    >A software shim (firewall) that sits between the kernel and the application. System calls are intercepted and blocked if they are outside the "allow" policy.

    This sounds like *EVERY* antivirus product on the market, and that
    has ever been on the market, since the first antivirus product latched
    a DOS interrupt.

    > Much simpler space with only three vendors, Cisco Secure Agent (was Okena), NAI Entercept, and Sana Security. A start up called Araksha is also looking at this space but they go much deeper into the application at run time.

    What about the stack-based shims like Network Ice, Tiny Trojan Trap,
    even ZoneAlarm, that handle network traffic inline and also are aware
    of application state?

    >The firewall vendors are excited by IPS because it is a product that can be deployed deep inside a network.

    Everyone is excited about IPS because Gartner has hyped the
    hell out of it and Gartner's own analysts (apparently) can't come up
    with a decent definition of what it is.

    I'll tell you what it is: it's hype. That's all.

    The firewall vendors are excited about IPS because it's offering
    them a chance to re-brand existing stuff, write some new
    marketing glossies, and try to sell their firewalls on the interior
    of the network. Guess what? We (us old-timer security guys)
    have been telling customers forever that internal firewalls are
    a good idea. You can call it IPS or you can call it a firewall
    but it's gonna do the same thing and it's gonna be just as
    tough a sell for the enterprise.

    IDS vendors are "excited" about IPS because Gartner
    "researchers" announced that their products are obsolete
    and useless while simultaneously hyping a market concept
    that has no real distinctions from that which has gone
    before it. So all the IDS vendors are having to react to
    Gartner's ex cathedra pronouncements because their customers
    have bean-counters and senior management that are still
    so technically illiterate that they take Gartner research as
    gospel.

    In other words, Gartner has created a self-fulfilling circle-jerk.

    > Initial traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on "academic freedom".

    Since we've got you here, maybe you can give us an idea
    of how many universities are doing IPS inline? When Gartner
    announced IDS was dead and long live IPS I was unable to find
    a *SINGLE* organization that was actually running an Intruvert
    (the product Gartner claimed was the best) inline. Nobody on
    this list (which encompasses a fairly large body of security
    practitioners) came forward, either. Who is doing IPS inline and
    how in the heck is that different from a firewall?

    Anyone on the list care to corroborate this?

    >Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file sharing) at universities.

    Anyone on the list care to corroborate this?

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"

    Relevant Pages

    • [fw-wiz] Re: IPS
      ... > inline. ... adding an extra layer of security around an open network. ... whether implemented in a firewall like ... Checkpoint's SmartDefense or a standalone, inline "IDP" product, ...
      (Firewall-Wizards)
    • Re: amount of alarms generated by IDS
      ... I have to agree with Rob and I must debate the classification of inline ... IPS as simply an IDS with the ability to drop malicious looking packets. ... The comparison is more appropriately made as a firewall with the ability ...
      (Focus-IDS)
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... Network IPS: ... this is dramatically different than a firewall that can close *connections* based on source-destination-port. ... The Network ... The Host ...
      (Firewall-Wizards)
    • RE: Experiences with Toplayer Attack Mitigator IPS
      ... Experiences with Toplayer Attack Mitigator IPS ... network intrusion uk guys who are coming out with the IPS shootout ... as security vendors are so fond of touting nowadays? ... > - Make firewall, VPN, and NAT rules interoperable across heterogeneous ...
      (Focus-IDS)
    • Re: Analysing and configuring IPS/IDS Policies
      ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
      (Focus-IDS)