RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

From: Rob Shein (shoten_at_starpower.net)
Date: 08/18/04

  • Next message: Brewerton, Andrew: "portsentry"
    To: "'Jacob Winston'" <jctx09@yahoo.com>, <focus-ids@securityfocus.com>
    Date: Wed, 18 Aug 2004 15:31:32 -0400
    
    

    Last month, Richard Beijtlich (sorry if I mangled your last name, Rich) said
    the following:

    "If I could have one wish granted, it would be for the IPS to be recognized
    as a layer 7 firewall, and not compared to an IDS."

    That sentence really resonated with me. It seems to make a lot of sense to
    me that an IPS might eventually be what gets used as a firewall...one which
    takes the next evolutionary step.

    At first, there were packet filters, which only cared about what ports were
    used and which hosts were talking; they were ignorant with regard to
    connection state, fragmentation, or any other aspects of the communication.
    And they failed to account for services like FTP, where an outside host
    needs to open a second inbound channel on an unpredictable port to the
    server. But it definitely cut back on the exposure of a network to outside
    attackers.

    Then came stateful inspection, which addressed some of these problems. Now,
    you couldn't just slip things through a firewall as easily just by setting a
    source port of 53. And because the firewall could do packet inspection to a
    certain degree, FTP would work transparently as well. And it could reject
    fragmented packets, or other packets that were deliberately malformed But
    it still couldn't tell the intent of the traffic passing back and forth; a
    simple GET request for "www.foo.org/index.html" looked the same to it as a
    GET request that used the unicode attack to traverse directories and grab a
    copy of the SAM. But just the same, it cut back even more on the exposure
    level.

    But what if the next step was to be able to specify not just that, but also
    to weed out a good bit of the hostile activity that would otherwise pass
    through unnoticed by the firewall? Mind you, I'm not saying that I think
    IPS would catch everything, or that it could even watch for attacks on all
    protocols, but it can definitely stop a good chunk of them. The exposure of
    your network has gone down, yet again.

    Even better is that I would expect an IPS to stop the most mundane and
    common attacks, the ones used by the ankle-biters. And while these are
    easier to deal with in the first place, nonetheless machines do go
    accidentally unpatched (or misconfigured), and the kiddies are so numerous
    that I feel that their attacks are the largest threat, based on sheer force
    of numbers. So the next level IPS/firewall/whatever you call it has cut
    back on most of the background noise, allowing you to focus on the really
    unique and truly dangerous (and, as Mudge once said, "really cool") hacks.

    > -----Original Message-----
    > From: Jacob Winston [mailto:jctx09@yahoo.com]
    > Sent: Sunday, August 15, 2004 10:46 PM
    > To: focus-ids@securityfocus.com
    > Subject: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
    >
    >
    >
    >
    > Things are getting a little confusing. ISS claims that its
    > Proventia boxes are also firewallas. Intrushield 2.1 has
    > firewall/layer 4 filtering capabilities now. If the
    > Intrushield box layer 4 acls now then what makes it not be
    > equal to a firewall? What does a firewall do that an IPS
    > doesn't as long as the IPS can do layer-4 access lists? Any
    > info is apprecaited.
    >
    > --------------------------------------------------------------
    > ------------
    > FREE Network Security Webinar - How to implement IPSec
    > security into VPN appliances
    >
    > New threats and vulnerabilities require new high-performance
    > IPSec VPN solutions for network protection. Join the security
    > experts from SafeNet on August 26 at 1:00 PM (Eastern), and
    > learn how to successfully integrate IPSec security into VPN
    > processors and appliances to provide powerful yet
    > cost-effective VPN solutions for your customers.
    > Register now:
    >
    http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    FREE Network Security Webinar - How to implement IPSec security into VPN appliances
     
    New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
    Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers.
    Register now:

    http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
    --------------------------------------------------------------------------


  • Next message: Brewerton, Andrew: "portsentry"

    Relevant Pages

    • Linux SuSe host base IDS.
      ... FREE Network Security Webinar - How to implement IPSec security into VPN appliances ... Join the security experts from SafeNet on August 26 at 1:00 PM, and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. ...
      (Focus-IDS)
    • Research Paper on IDS
      ... As being a student, I am doing my Master's in Informatin Security field from RMIT University, Melbourne, Australia. ... FREE Network Security Webinar - How to implement IPSec security into VPN appliances ... Join the security experts from SafeNet on August 26 at 1:00 PM, and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. ...
      (Focus-IDS)
    • [REVS] Bypassing Client Application Protection Techniques
      ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
      (Securiteam)
    • Re: Recycler security issues on IIS server
      ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
      (microsoft.public.inetserver.iis.security)
    • Why hasnt Symantec addressed nastier Messenger spoofs
      ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
      (comp.security.misc)