Re: IPS (was: [fw-wiz] Sources for Extranet Designs?)

From: Gary Flynn (
Date: 02/27/04

  • Next message: "RE: [fw-wiz] Strange setup"
    Date: Thu, 26 Feb 2004 19:08:17 -0500

    Paul Robertson wrote:

    > On Thu, 26 Feb 2004, Marcus J. Ranum wrote:
    >>Can you explain how these "signatures" and "protocol anomaly" detectors
    >>and "behavior and flow capabilities" are going to NOT suffer all the problems
    >>with false positives that caused Gartner to announce that IDS was a
    > It's worse, IMO- I think IPS is the loss of default deny/principle of
    > least priv. - so rather than strengthening rulesets to stop more bad
    > stuff, we're back to the "prove it's bad, then we block it" mentality-
    > that's never worked for security before, and I don't see how it's going
    > to work now.
    > It's no wonder proponents are touting universities (apologies to the .edu
    > admins on this list who've overcome those battles the hard way)- where the
    > prove it bad mentality has had it's best survival rate.

    Hmmm, it sounds like you're assuming that universities have or had
    a default deny rule. :)

    As I mentioned in my previous response, we're basically a broadband
    ISP provider to 70-80% of the computers on our network - student
    home computers. While a default deny rule might be a good corporate
    strategy with limited and well-defined communications needs, it
    doesn't play well to the average home user...whether their Internet
    connection is provided by a university network or a commercial
    broadband home connection. I get complaints because I make games slow
    or unusable. :(

    And yeah, we could certainly do more in that realm in the
    non-student areas, and yeah, "academic freedom" is often
    overused as an excuse, but we do have different needs than
    a less fluid organization.

    That said, we've had several discussions about how we'd implement
    a general default deny rule recently. And we do have default deny
    rules in interior portions of the network.

    > Now that we've actually gotten back to the point where firewalls are
    > capable of doing application layer decisions, it seems rather silly to
    > toss that back out again and go with yet-another-miracle.

    On what applications? Certainly not all the ones
    I see go through our Internet connections.

    Can you write your own inspection rules for the typical firewall?

    Gary Flynn
    Security Engineer - Technical Services
    James Madison University
    firewall-wizards mailing list

  • Next message: "RE: [fw-wiz] Strange setup"