Re: IPS (was: [fw-wiz] Sources for Extranet Designs?)
From: Gary Flynn (flynngn_at_jmu.edu)
To: firstname.lastname@example.org Date: Thu, 26 Feb 2004 19:08:17 -0500
Paul Robertson wrote:
> On Thu, 26 Feb 2004, Marcus J. Ranum wrote:
>>Can you explain how these "signatures" and "protocol anomaly" detectors
>>and "behavior and flow capabilities" are going to NOT suffer all the problems
>>with false positives that caused Gartner to announce that IDS was a
> It's worse, IMO- I think IPS is the loss of default deny/principle of
> least priv. - so rather than strengthening rulesets to stop more bad
> stuff, we're back to the "prove it's bad, then we block it" mentality-
> that's never worked for security before, and I don't see how it's going
> to work now.
> It's no wonder proponents are touting universities (apologies to the .edu
> admins on this list who've overcome those battles the hard way)- where the
> prove it bad mentality has had it's best survival rate.
Hmmm, it sounds like you're assuming that universities have or had
a default deny rule. :)
As I mentioned in my previous response, we're basically a broadband
ISP provider to 70-80% of the computers on our network - student
home computers. While a default deny rule might be a good corporate
strategy with limited and well-defined communications needs, it
doesn't play well to the average home user...whether their Internet
connection is provided by a university network or a commercial
broadband home connection. I get complaints because I make games slow
or unusable. :(
And yeah, we could certainly do more in that realm in the
non-student areas, and yeah, "academic freedom" is often
overused as an excuse, but we do have different needs than
a less fluid organization.
That said, we've had several discussions about how we'd implement
a general default deny rule recently. And we do have default deny
rules in interior portions of the network.
> Now that we've actually gotten back to the point where firewalls are
> capable of doing application layer decisions, it seems rather silly to
> toss that back out again and go with yet-another-miracle.
On what applications? Certainly not all the ones
I see go through our Internet connections.
Can you write your own inspection rules for the typical firewall?
-- Gary Flynn Security Engineer - Technical Services James Madison University _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards