Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)



Parental advisory: explicit vendor opinions may occour in this message !
Let me show show how IPS firewall market is seen from a IPS firewall
vendor perspective. I've been following this mailing list for 3 years
and few vendor opinions popped up. I don't know if this is because it's considered a kind of advertising (thus unpolite) or what ... (in this case list admins, please drop this mail)
Let me invite my competitors in a friendly discussion about this layer 7 thing :)

Here's the thing:
1) Proxy firewalls: Proxy firewalls are in theory good because they can
do rfc compliance checks and "strange things won't be forwarded"
approach aka the marketing "day-0 protection". More, they'll do fragment
reassembly. The problems about proxies are:
- performance decreased due to complete session rewrite
- when used as reverse proxies for incoming connections you always have
that listening ports on the proxy-firewall. Listening ports means
attackable ports.

2) Firewalls with signatures: just the old IDS signatures, but now
inline. The problems with signatures are:
- keep the number of signatures low or it'll be a bottleneck thing
(false negatives)
- false positives
- any variation of a know attack signature will be a new signature

3) new technologies:
- reassemble the fragments in a separate space, do the checks, then if
ok send the fragments (no session rewriting).
- focus on the "strange things won't be forwarded", rather than
signatures: faster, sharp, you can use the marketing wizard's "0-day
protection" word :)
- decode recursively to stop blended attacks
- don't use a proxy: check on the fly and if test is passed then forward the packet (so no session rewrites and no dangerous listening ports)

Gabriele

Marcus J. Ranum wrote:
I'd suggest you have them ask a few of the IPS vendors if they recommend
using their product in that manner. Unless you're talking to the IPS vendors
that are basically selling a firewall+signatures (like a "deep packet inspection"
firewall) they will backpedal away from that very rapidly. Perhaps your
path of least resistance is to tell them that you want one of the new
generation "IPS firewalls" then you can turn off the IPS crap (which
won't do anything except slow the firewall down, anyhow) and use the
firewall rules.

begin:vcard
fn:Gabriele Buratti
n:Buratti;Gabriele
org:NETASQ Italia;Presales
adr:;;via Giovanni da Udine, 34;Milano;MI;20156;Italy
email;internet:gabriele.buratti@xxxxxxxxxx
tel;work:+39 02 38093754
tel;fax:+39 02 38093752
x-mozilla-html:FALSE
url:http://www.netasq.com
version:2.1
end:vcard



Relevant Pages

  • RE: IDS, IPS or just rubbish
    ... then it sounds a lot like an IDS to me. ... I wonder what ISS' new firewall will be called? ... They do not have many signatures. ... world's premier technical IT security event! ...
    (Focus-IDS)
  • Re: Sophos antivirus
    ... I'll suggest it to Trend Micro, but it may actually be more effective at the ... firewall level. ... available and also the ability to trust certain sites such as their own, ... detection of new threats with signatures, which they are not doing very ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows Firewall Has A Backdoor
    ... But once you modify the exploit a little bit the pattern is ... >exploits of a vulnerablity send exactly the same packet with the same ... 'Lovsan' worm has a signature and can be detected by a firewall ... utilizing such signatures. ...
    (comp.security.firewalls)
  • Re: Windows Firewall Has A Backdoor
    ... But once you modify the exploit a little bit the pattern is ... >exploits of a vulnerablity send exactly the same packet with the same ... 'Lovsan' worm has a signature and can be detected by a firewall ... utilizing such signatures. ...
    (alt.computer.security)