Re: [fw-wiz] IPS vs. Firewalls



Phil Albacore wrote:
They've heard that IPS sensors can be used to block traffic, so they've got it in their heads that we don't need a firewall anymore.


I would suggest http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html if you would like to save money in your IT Network Security Budget on IPS/IDS Budget line item and Firewall Budget line item.


-----Original Message-----
From: "Marcus J. Ranum" <mjr@xxxxxxxxx>
Sent: Feb 2, 2006 12:33 PM
To: Phil Albacore <phila@xxxxxxxxxxxxxxxxxxxxxxx>, firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] IPS vs. Firewalls

Phil Albacore wrote:
They've heard that IPS sensors can be used to block traffic, so they've got it in their heads that we don't need a firewall anymore.

I'd suggest you have them ask a few of the IPS vendors if they recommend
using their product in that manner. Unless you're talking to the IPS vendors
that are basically selling a firewall+signatures (like a "deep packet inspection"
firewall) they will backpedal away from that very rapidly. Perhaps your
path of least resistance is to tell them that you want one of the new
generation "IPS firewalls" then you can turn off the IPS crap (which
won't do anything except slow the firewall down, anyhow) and use the
firewall rules. The only problem with that is that most of the IPS firewalls
are little more than a cheesy "stateful" packet filter with a few dozen
signatures hammered into the packet forwarder loop. I'd be being
uncharacteristically generous if I said that they "suck" - they're not
nearly that good.

I've got to thank you for asking the question; it made me look at a few of
the IPS vendor claims to see if many of them have the guts to say they
replace a firewall. I particularly got a chuckle out of Intruvert's (now NAI)
claim that they protect against encrypted attacks. I needed some yuks
to lighten up my morning!!

I quote: " McAfee IntruShield delivers comprehensive protection against
today?s constantly evolving threats, including known, zero-day, and
encrypted attacks."
Wow -- that does sound pretty good. I guess you don't need a firewall
after all!!

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] IPS vs. Firewalls
    ... I'd suggest you have them ask a few of the IPS vendors if they recommend ... that are basically selling a firewall+signatures (like a "deep packet inspection" ... firewall) they will backpedal away from that very rapidly. ... claim that they protect against encrypted attacks. ...
    (Firewall-Wizards)
  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
    (comp.security.firewalls)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)