RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
From: Marcus J. Ranum (mjr_at_ranum.com)
To: "Stiennon,Richard" <Richard.Stiennon@gartner.com>, "Ben Nagy" <firstname.lastname@example.org>, <email@example.com> Date: Thu, 26 Feb 2004 17:00:00 -0500
>An inline device that assembles packets into streams or sessions and parses them.
So far, that's a "firewall" - the first firewalls did all that inherently since they
were proxies. The second-generation firewalls with "transparent proxies"
did the same thing but with less impact on the user experience. It was the
third-generation "network layer" firewalls (pix, Checkpoint) that stepped
away from full stream reassembly and termination and switched to "stateful
inspection" - which was actually less stateful than a proxy (at both TCP
and layer 7) but you gotta hand it to those CheckPoint marketing guys.
They really earned their stock options with that one...
>Multiple methodologies to determine malicious intent. Usually includes signature, protocol anomaly, behavior and flow capabilities.
Many first generation proxy firewalls did this, too. DEC SEAL had a rate
limiter feature that would saw off a connection that attempted to tunnel
outgoing traffic over an FTP command stream or TELNET session. Protocol
anomaly detection was inherent in most if not all of the early proxy
firewalls. I know SEAL and Gauntlet both did exhaustive checks for
protocol errors and violation attempts in SMTP, HTTP, and FTP. You
can call 'em "signatures" or "protcol anomaly" but I can tell you that
Gauntlet and SEAL each did several dozen checks for malicious
intent. Dozens of signatures is low by today's marketing numbers
but we're talking starting this in 1991.
>The ability to drop sessions associated with attacks. Note, this is dramatically different than a firewall that can close *connections* based on source-destination-port.
No it's not!!!!
At least DEC SEAL, Tis Gauntlet, MilkyWay BlackHole, Raptor Eagle,
Secure Computing Sidewinder, and Harris Cyberguard all had these
capabilities - some as early as 1991 and all of them by 1994. What did
these devices have in common? They were all - firewalls.
Sounds like you've defined "Intrusion Prevention" as a "first generation
proxy firewall" OK, OK, I'm just jerking your chain. Intrusion Prevention
CAN'T be something as simple and stupid and ancient as a firewall
that detects and closes sessions based on application layer attack
detection. That's not sexy, is it? And sexing up and hyping stuff is
your job, isn't it? Those startups' marketing departments aren't
gonna pay Gartner big bucks to put them on the proxy firewall
magic quadrant, are they?
>Definitions are often helped out by a set of reference vendors. In my mind, Tippingpoint, TopLayer, Radware, NAI Intrushield, Netscreen IDP, Reflex Security and even Checkpoint Intrespect all fit this definition.
In terms of your "definition" probably 90% of the firewall products that have
ever been on the market are IPS.
>A software shim (firewall) that sits between the kernel and the application. System calls are intercepted and blocked if they are outside the "allow" policy.
This sounds like *EVERY* antivirus product on the market, and that
has ever been on the market, since the first antivirus product latched
a DOS interrupt.
> Much simpler space with only three vendors, Cisco Secure Agent (was Okena), NAI Entercept, and Sana Security. A start up called Araksha is also looking at this space but they go much deeper into the application at run time.
What about the stack-based shims like Network Ice, Tiny Trojan Trap,
even ZoneAlarm, that handle network traffic inline and also are aware
of application state?
>The firewall vendors are excited by IPS because it is a product that can be deployed deep inside a network.
Everyone is excited about IPS because Gartner has hyped the
hell out of it and Gartner's own analysts (apparently) can't come up
with a decent definition of what it is.
I'll tell you what it is: it's hype. That's all.
The firewall vendors are excited about IPS because it's offering
them a chance to re-brand existing stuff, write some new
marketing glossies, and try to sell their firewalls on the interior
of the network. Guess what? We (us old-timer security guys)
have been telling customers forever that internal firewalls are
a good idea. You can call it IPS or you can call it a firewall
but it's gonna do the same thing and it's gonna be just as
tough a sell for the enterprise.
IDS vendors are "excited" about IPS because Gartner
"researchers" announced that their products are obsolete
and useless while simultaneously hyping a market concept
that has no real distinctions from that which has gone
before it. So all the IDS vendors are having to react to
Gartner's ex cathedra pronouncements because their customers
have bean-counters and senior management that are still
so technically illiterate that they take Gartner research as
In other words, Gartner has created a self-fulfilling circle-jerk.
> Initial traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on "academic freedom".
Since we've got you here, maybe you can give us an idea
of how many universities are doing IPS inline? When Gartner
announced IDS was dead and long live IPS I was unable to find
a *SINGLE* organization that was actually running an Intruvert
(the product Gartner claimed was the best) inline. Nobody on
this list (which encompasses a fairly large body of security
practitioners) came forward, either. Who is doing IPS inline and
how in the heck is that different from a firewall?
Anyone on the list care to corroborate this?
>Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file sharing) at universities.
Anyone on the list care to corroborate this?
firewall-wizards mailing list