[fw-wiz] Re: IPS

From: Gary Flynn (flynngn_at_jmu.edu)
Date: 02/27/04

  • Next message: David Thiel: "Re: [fw-wiz] Re: IPS" 
    To: firewall-wizards@honor.icsalabs.com
Date: Thu, 26 Feb 2004 18:46:15 -0500

    Marcus J. Ranum wrote:

    > Stiennon,Richard wrote:
    >>Initial traction is being gained at public universities, mostly in the US where there is an objection to firewalls based on "academic freedom".
    >
    > Since we've got you here, maybe you can give us an idea
    > of how many universities are doing IPS inline? When Gartner
    > announced IDS was dead and long live IPS I was unable to find
    > a *SINGLE* organization that was actually running an Intruvert
    > (the product Gartner claimed was the best) inline. Nobody on
    > this list (which encompasses a fairly large body of security
    > practitioners) came forward, either. Who is doing IPS inline and
    > how in the heck is that different from a firewall?
    >
    > Anyone on the list care to corroborate this?

    ( I wonder if I'm getting hooked here )

    I know of a few universities that have them installed and we'll
    have a couple installed here in the next few weeks. I was
    looking at them way before Gartner's report. In fact, I think
    I was asking about them on this list a couple years ago when
    there was only one product on the market...Onesecure. I got sick
    of watching Snort reports tell me about things that could
    have been easily been blocked with an inline device. One
    packet blocked is one less packet I have to defend against.
    The other billion will keep me plenty busy.

    It has much less to do with academic freedom than it does with
    adding an extra layer of security around an open network. Today's
    non-proxy firewalls can enforce a rather coarse security policy.
    A blocking IDS engine, whether implemented in a firewall like
    Checkpoint's SmartDefense or a standalone, inline "IDP" product,
    can get more granular. More to the point, some of them can more
    easily be configured to address current, specific threats in
    a timely manner without resorting to an out and out block of
    a particular service. At least that is where I see their primary
    value. I sometimes write Snort rules to detect exploits of
    recently announced vulnerabilities or to detect suspicious
    activity for followup. Would I put them into operation as a
    blocking rule? Some of them. That gives me some additional
    flexibility to block some known, malicious activity while still
    allowing a class of communications that may be valuable to some
    segment of our population. Remember that is why networks were
    invented. If security was the primary requirement, we'd use
    your ultimate firewall. :)

    Also remember that a lot of university networks are basically
    ISPs to students who live on their network using what are
    basically home computers. In fact, 70-80% of the computers on
    those "university networks" are actually home computers. The
    problems we've seen there have often been precursors to what
    later happens on broadband home connections...a place where
    proxy firewalls would be a bit difficult to install. :)

    An IDP may provide configuration management processes a little
    more time to work at getting systems upgraded or reconfigured
    in the face of a new threat.

    Are these "IDP devices" as secure for a particular service as
    a well-written, proxy firewall would be? Probably not.
    Particularly for services needing an encryption boundary like
    HTTPS. But past proxy firewalls are limited in supported
    services, have questionable depth to their understanding of
    the underlying service, and aren't amenable to a more or less
    open network. And they certainly don't help to allow innovative,
    new services to be developed and used if they refuse to pass
    unsupported services. (Yes, I know, that can be two-pronged.)

    Yeah, from a security standpoint, I'd rather install in-depth,
    versatile, programmable proxy firewalls for every service
    we allow (in front of every system :). But I don't know of one.

    The Internet was designed and owes much of its rapid innovations
    to the concept of a dumb communications network with intelligence
    at its endpoints. Admittedly, that architecture, and especially
    its assumption of (trusted?) intelligence at its endpoints, has
    resulted in a wealth of problems. And it may be that it cannot
    survive in its present format
    (http://falcon.jmu.edu/~flynngn/whatnext.htm).

    Anyone looking for a miracle box (firewall, IDP, appliance, VPN,
    IPSEC, Trusted Computing Platform, etc.) that is going to solve
    the problems associated with its underlying architectural
    weaknesses and assumptions is just fooling themselves. I just
    want another tool, the inline IDP, to *help* me survive the
    current lawless, chaos until we all digress into balkanized
    networks or some major changes are made.

    Do I think they make us immune? Of course not. They merely
    raise the fence a fraction higher. Just like AV, mail
    filters, patches, VPNs, encryption, access controls, and other
    security measure.

    Are IDPs the be all and end all of intrusion prevention.
    Of course not. Is the name unfortunate? Certainly. The
    lock on my door is an Intrusion Prevention Device. But
    the concept is valid and, if expectations are inline
    with reality, I think they'll provide a useful function
    albeit with the usual cost of maintaining and monitoring
    yet another defensive layer.

    >>Some of the network IPS vendors are profiting from the need to throttle undesirable traffic (file sharing) at universities.
    >
    >
    > Anyone on the list care to corroborate this?

    I don't know about that. I think some IDPs claim some traffic
    shaping capabilities but I think products like Packeteer's
    Packetshaper have more sophisticated capabilities in that
    realm.

    In any case, traffic shapers, NIDS/NIDP, and deep packet
    inspection firewalls are going to eventually go the way
    of the dodo unless they're set up behind a common
    encryption border. When everything looks like HTTPS, their
    value will be limited as far as data inspection is concerned. 

    -- 
Gary Flynn
Security Engineer - Technical Services
James Madison University
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: David Thiel: "Re: [fw-wiz] Re: IPS"