Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)

Interesting taxonomy, but many firewalls today combine the three kinds of security services you mention. My firewall's pretty GUI has proxies and IPS and stateful packet filters (oh my!). Actually, two of the other firewalls I have lying on the floor in my office have at least two of the three, and I suspect that one really does have a proxy but the marketing people don't want anyone to know about it.

Conclusion? I don't think the traditional arguments over proxy vs. DPI, signatures vs. NBS (0-day), etc. are all that relevant nor interesting.

While it's true that we go to war with the equipment we have and not the equipment we wish we had, it's also true that we can be more successful if we use *all* the equipment we have, and use each where it is most effective and efficient.

Proxies get the job done in a lot more situations than they are given credit for, and perform well. Claims that proxies unilaterally impede performance are marketing drivel. If you take issue with this, consider that some companies who bash proxies as being performance inhibitors bolt SSL VPNs onto their firewalls. So far as I know, there are no stateful inspection SSL VPN implementations.

There are situations where IPS may indeed provide relief from certain classes of attacks. There are probably situations where they will suck more cycles from your firewall than you can afford. If you want to prune and tune an IPS, God Bless You, there's the door, thanks for the visit.

Vendors will forever seek to innovate attack recognition and blocking. The hard part for us all is distinguishing one-off clever programming tricks from landmark and disruptive technology. Try before you buy, caveat emptor, etc.

Like most other aspects of network technology, security technology has no choice but to concede to the overwhelming pressures of "convergence". Products may begin as a pure-play IDS, IPS, firewall, SSL VPN, IdM, anti-malware/spam/spyware gateway, but to survive, they are forced to meld all these "point" solutions into a single offering. This really is no different from how routing, switching, and WAN access (muxes) evolved.

Gabriele Buratti wrote:
Parental advisory: explicit vendor opinions may occour in this message !
Let me show show how IPS firewall market is seen from a IPS firewall
vendor perspective. I've been following this mailing list for 3 years
and few vendor opinions popped up. I don't know if this is because it's considered a kind of advertising (thus unpolite) or what ... (in this case list admins, please drop this mail)
Let me invite my competitors in a friendly discussion about this layer 7 thing :)

Here's the thing:
1) Proxy firewalls: Proxy firewalls are in theory good because they can
do rfc compliance checks and "strange things won't be forwarded"
approach aka the marketing "day-0 protection". More, they'll do fragment
reassembly. The problems about proxies are:
- performance decreased due to complete session rewrite
- when used as reverse proxies for incoming connections you always have
that listening ports on the proxy-firewall. Listening ports means
attackable ports.

2) Firewalls with signatures: just the old IDS signatures, but now
inline. The problems with signatures are:
- keep the number of signatures low or it'll be a bottleneck thing
(false negatives)
- false positives
- any variation of a know attack signature will be a new signature

3) new technologies:
- reassemble the fragments in a separate space, do the checks, then if
ok send the fragments (no session rewriting).
- focus on the "strange things won't be forwarded", rather than
signatures: faster, sharp, you can use the marketing wizard's "0-day
protection" word :)
- decode recursively to stop blended attacks
- don't use a proxy: check on the fly and if test is passed then forward the packet (so no session rewrites and no dangerous listening ports)


Marcus J. Ranum wrote:
I'd suggest you have them ask a few of the IPS vendors if they recommend
using their product in that manner. Unless you're talking to the IPS vendors
that are basically selling a firewall+signatures (like a "deep packet inspection"
firewall) they will backpedal away from that very rapidly. Perhaps your
path of least resistance is to tell them that you want one of the new
generation "IPS firewalls" then you can turn off the IPS crap (which
won't do anything except slow the firewall down, anyhow) and use the
firewall rules.

fn:David Piscitello
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Relevant Pages

  • RE: Firewalls (was Re: IDS evaluations procedures)
    ... It would be difficult to dub IPS as a better firewall as traditional and ... Layer 7 firewalls fall more into the category of the IDS/IPS solutions ... IDS solutions do tend to ... picture of a network under attack. ...
  • RE: IDS vs. IPS deployment feedback
    ... Well, I am a security professional, and I am very much sold on IPS. ... Firewalls are not IPSs. ... IDS Dead? ...
  • Re: Firewalls and PCI
    ... I know of one company whose management wants to get rid of the IPS devices in front of their web servers and replace them with application firewalls "since we can't afford both and both block the bad stuff". ... Subject: Firewalls and PCI ... ponder (I know a lot of this is outside of the area of network design, ...
  • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
    ... Now that we've actually gotten back to the point where firewalls are ... The only thing something like network IPS gets you over a tradtional ... than proactive security? ... Paul D. Robertson "My statements in this message are personal opinions ...
  • Re: operationg system firewall question
    ... They may or may not add proxies on top. ... In general Windows based firewalls are easiest for most to ... For most a hardware device seems to be the best solution. ...