RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)

• Previous message: mcary_at_badgermeter.com: "RE: [fw-wiz] Strange setup"
• Maybe in reply to: Ben Nagy: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Next in thread: Christopher Lee: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Reply: Christopher Lee: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Christopher Lee'" <clee@myhome.homeip.net>, "'Stiennon,Richard'" <Richard.Stiennon@gartner.com>, "'Ben Nagy'" <ben@iagu.net>, firewall-wizards@honor.icsalabs.com
Date: Fri, 27 Feb 2004 09:33:04 -0800

Pretty much any layer-7 processing for TCP traffic mandates TCP stream
reassembly. Looking at TCP segments, one at a time, really doesn't get you
anywhere.

Yes, Netscreen IDP does perform reassembly [and a lot more] before
inspection.

K.

ps: I work for Netscreen.

> -----Original Message-----
> From: Christopher Lee [mailto:clee@myhome.homeip.net]
> Sent: Thursday, February 26, 2004 7:45 PM
> To: 'Stiennon,Richard'; 'Ben Nagy';
> firewall-wizards@honor.icsalabs.com
> Subject: RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
>
>
> Just an FYI. Radware's DefensePro (or its IPS add-on on
> their platform, in
> general) does not do packet re-assembly (i.e. reconstruction
> of the data
> streams/sessions), it merely does string-matchings on the
> packets alone. I
> don't know Netscreen IDP, but I am curious to know if (and
> how) it actually
> reassembles packets before its inspection...
>
> Chris
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
> Stiennon,Richard
> Sent: February 26, 2004 12:51 PM
> To: Ben Nagy; firewall-wizards@honor.icsalabs.com
> Subject: RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
>
> Here are the definitions I am working with:
>
> Network IPS:
>
> An inline device that assembles packets into streams or
> sessions and parses
> them.
> Multiple methodologies to determine malicious intent. Usually includes
> signature, protocol anomaly, behavior and flow capabilities.
> The ability to drop sessions associated with attacks. Note, this is
> dramatically different than a firewall that can close
> *connections* based on
> source-destination-port.
>
> Definitions are often helped out by a set of reference
> vendors. In my mind,
> Tippingpoint, TopLayer, Radware, NAI Intrushield, Netscreen
> IDP, Reflex
> Security and even Checkpoint Intrespect all fit this definition.
>
> Host IPS:
>
> A software shim (firewall) that sits between the kernel and
> the application.
> System calls are intercepted and blocked if they are outside
> the "allow"
> policy. Much simpler space with only three vendors, Cisco
> Secure Agent (was
> Okena), NAI Entercept, and Sana Security. A start up called
> Araksha is also
> looking at this space but they go much deeper into the
> application at run
> time.
>
>
> The firewall vendors are excited by IPS because it is a
> product that can be
> deployed deep inside a network. Initial traction is being
> gained at public
> universities, mostly in the US where there is an objection to
> firewalls
> based on "academic freedom". Some of the network IPS vendors
> are profiting
> from the need to throttle undesirable traffic (file sharing) at
> universities.
>
> Best,
>
> -Richard Stiennon
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf
> Of Ben Nagy
> Sent: Thursday, February 26, 2004 9:06 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
>
>
> Can I just jump in and ask what _exactly_ people think "IPS"
> means? I know
> I'm asking for a definition debate and we've all seen a bunch
> of those over
> the years, but I'm concerned that the "buzzword" factor has lead to
> compression in terms of vocab.
>
> I don't see the basic "attach an IDS to a firewall and have
> the firewall do
> stuff based on signatures" concept as amazingly useful (my personal
> opinion). However lots of companies are producing stuff which
> they are also
> calling IPS (us included; consider that a disclaimer).
>
> Intrusion Prevention can be done at a number of places
>
> 1. The Firewall
> 2. The Network (inline IPS lives here)
> 3. The Host (cross platform issues here!)
> - 3a. The Host Network level (TDI or driver stuff, where the
> current PFWs
> live)
> - 3b. The Host Kernel / Memory Mangement level (systrace,
> pax, and their
> windows friends)
>
> Of those places, we can work on
>
> 1. Attack Signatures (easy to evade, prone to false
> positives, reactive)
> 2. Anomaly detection (statistical stuff, less configuration, foolable)
> 3. Rule Based (hard to program, slower, better suited to a host model)
> 4. Traffic / rate based.
>
> There is a lot of technical depth to the pros and cons of
> each approach [1].
> My own opinion is that the problem of malware, worms and the
> newer attack
> vectors (VPN, wireless, laptops etc) pretty much makes it
> pointless to focus
> too much on FW based IPS.
>
> Basically, firewalls are perimeter based, have huge problems
> coping with
> threats that are above the network level, and it's always
> going to be hard
> work to stretch their capacities. Witness the profound marketing and
> technical failure of the proxy firewall, for example. (ok,
> maybe that sounds
> like a troll. ;)
>
> However, even the crappiest personal firewall has a
> reasonable chance to
> contain malware by using application firewalling (this app
> can bind ports
> this one can't). The ways that is being approached today is pretty
> primitive, and there is a lot of work to do - yes - but it's
> a start. I see
> future potentiallllllll in an anomaly based approach which
> can really step
> in at the network level - buuut...
>
> Anyways, I'll restrict the rant, but the point is that it's
> an overused
> term, it's Gartnerised, but it's genuinely interesting. I'd
> love to hear
> some of your opinions about the viability of the various approaches -
> because it's fairly clear that we need _some_ new approach.
>
> ben
>
> [1] European readers with too much time on their hands could
> come and hear
> me waffle about this at Infosecurity Europe. Those of you out
> there who know
> more about this than I do are welcome to clue me up in advance. ;)
>
> > -----Original Message-----
> > From: firewall-wizards-admin@honor.icsalabs.com
> > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> > Of Don Parker
> > Sent: Tuesday, February 24, 2004 12:00 AM
> > To: Marcus J. Ranum; Wes Noonan; 'Baumann, Sean C.'; 'R. DuFresne'
> > Cc: 'Paul Robertson'; firewall-wizards@honor.icsalabs.com
> > Subject: RE: [fw-wiz] Sources for Extranet Designs?
> >
> > Yes indeed IPS is an excellent technology that is slowly
> > maturing. There is still nothing wrong with the IDS though.
> [...]
> >
> > On Feb 23, "Marcus J. Ranum" <mjr@ranum.com> wrote:
> >
> > Wes Noonan wrote:
> > >IPS would be a no brainer for me in this scenario.
> >
> > I. Hate. To. Admit. It. But. You. May. Be Right.
> >
> > IPS hype aside, and ignoring what the Gartner idiots think,
> > there's a conceptual value to the IPS concept. Basically, a
> > firewall implements one of 2 policies:
> > - Permit
> > - Deny
> >
> > IPS (i.e.: a signature-based firewall) adds a third option to
> > the policy matrix:
> > - Permit
> > - Deny
> > - Permit it as long as it is not obviously abusive
> > (e.g.: signature
> > hasn't fired)
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: mcary_at_badgermeter.com: "RE: [fw-wiz] Strange setup"
• Maybe in reply to: Ben Nagy: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Next in thread: Christopher Lee: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Reply: Christopher Lee: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Analysing and configuring IPS/IDS Policies ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ... (Focus-IDS) RE: IPS (was: [fw-wiz] Sources for Extranet Designs?) ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ... (Firewall-Wizards) RE: IPS (was: [fw-wiz] Sources for Extranet Designs?) ... it merely does string-matchings on the packets alone. ... Network IPS: ... A software shim (firewall) that sits between the kernel and the application. ... deployed deep inside a network. ... (Firewall-Wizards) RE: IPS vs Firewall ... Might I suggest using the witty worm as an example? ... > to implement an IPS solution. ... > place the IPS outside the firewall, ... of an Ethical Hacker to better assess the security of your organization. ... (Security-Basics) Re: IPS, alternative solutions ... >> the best use case I have seen for IPS. ... > One of the spots where an IPS beats a firewall hands down is on the ... Which is broken behaviour in the name of security. ... should be a combination of packet filters and proxies anyway). ... (Focus-IDS)