RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)

From: Paul Robertson (proberts_at_patriot.net)
Date: 02/27/04

  • Next message: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Thu, 26 Feb 2004 18:02:10 -0500 (EST)

    On Thu, 26 Feb 2004, Marcus J. Ranum wrote:

    > Can you explain how these "signatures" and "protocol anomaly" detectors
    > and "behavior and flow capabilities" are going to NOT suffer all the problems
    > with false positives that caused Gartner to announce that IDS was a
    > failure?

    It's worse, IMO- I think IPS is the loss of default deny/principle of
    least priv. - so rather than strengthening rulesets to stop more bad
    stuff, we're back to the "prove it's bad, then we block it" mentality-
    that's never worked for security before, and I don't see how it's going
    to work now.

    It's no wonder proponents are touting universities (apologies to the .edu
    admins on this list who've overcome those battles the hard way)- where the
    prove it bad mentality has had it's best survival rate.

    Now that we've actually gotten back to the point where firewalls are
    capable of doing application layer decisions, it seems rather silly to
    toss that back out again and go with yet-another-miracle.

    The only thing something like network IPS gets you over a tradtional
    firewall is the ability to catch some of the tunnel-over-everything
    protocols- and you can do that with a lot of modern firewalls (and could
    have written it in to lots of older ones.)

    Why do management layer folks have such a preference for reactive rather
    than proactive security? In today's environment, we've actually gotten to
    the point where proactive security's palatable- why all the backpedaling?

    > (* With apologies to my horse P-nut who doesn't read this list.

    Hey, he's welcome to subscribe- anyway maybe he can partner with the cat
    and test IPS systems? :-P

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"

    Relevant Pages

    • RE: Firewalls (was Re: IDS evaluations procedures)
      ... It would be difficult to dub IPS as a better firewall as traditional and ... Layer 7 firewalls fall more into the category of the IDS/IPS solutions ... IDS solutions do tend to ... picture of a network under attack. ...
      (Focus-IDS)
    • RE: IDS vs. IPS deployment feedback
      ... Well, I am a security professional, and I am very much sold on IPS. ... Firewalls are not IPSs. ... IDS Dead? ...
      (Focus-IDS)
    • Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)
      ... Actually, two of the other firewalls I have lying on the floor in my office have at least two of the three, and I suspect that one really does have a proxy but the marketing people don't want anyone to know about it. ... I don't think the traditional arguments over proxy vs. DPI, signatures vs. NBS, etc. are all that relevant nor interesting. ... Proxies get the job done in a lot more situations than they are given credit for, ... There are situations where IPS may indeed provide relief from certain classes of attacks. ...
      (Firewall-Wizards)
    • Re: Firewalls and PCI
      ... I know of one company whose management wants to get rid of the IPS devices in front of their web servers and replace them with application firewalls "since we can't afford both and both block the bad stuff". ... Subject: Firewalls and PCI ... ponder (I know a lot of this is outside of the area of network design, ...
      (Security-Basics)
    • Re: browstat wont run
      ... >>>First I just extracted it to my desktop for easy access, ... >> Paul, ... >Windows firewalls and tried to connect, so I am guessing it is not the ... OK, looking at browstat: ...
      (microsoft.public.windowsxp.network_web)