Re: Firewall vs. IPS

From: Richard Bejtlich (taosecurity_at_gmail.com)
Date: 08/21/04

  • Next message: Lily: "need your help,thanks" 
    Date: Fri, 20 Aug 2004 22:05:15 -0400
To: focus-ids@securityfocus.com

    It's funny this is being discussed now. Addison-Wesley [0] asked me
    to do a short article for an upcoming Dr. Dobb's Journal [1], so I
    cover this subject.

    I argue against "convergence" between products doing "detection" and
    those doing "protection." Too many people focus on detecting
    _attacks_ when really they should be detecting _failures in
    protection_ caused by poor access control, exposure of vulnerable
    targets, and misconfiguration.

    This means the IDS remains a network audit device doing detection, and
    all products which filter, scrub, manipulate, or otherwise stop
    traffic be accepted as access control devices (aka "firewalls") doing
    protection.

    You can't have the same device do both functions. It's like a guard
    without a security camera thinking he's doing a good job when an
    intruder's already slipped behind him.

    If any convergence should take place, it should occur within the
    detection market (signature/anomaly/flow/etc. network/host-based IDS)
    and separately within the protection market (XML/spam/SQL/etc.
    IPS/firewalls).

    Sincerely,

    Richard
    http://www.taosecurity.com
    [0] http://www.awprofessional.com/title/0321246772
    [1] http://www.ddj.com

    --------------------------------------------------------------------------
    FREE Network Security Webinar - How to implement IPSec security into VPN appliances
     
    New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
    Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers.
    Register now:

    http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
    --------------------------------------------------------------------------

  • Next message: Lily: "need your help,thanks"

    Relevant Pages

    • RE: How to find a changing IP on ethernet network
      ... Port Security is a good Cisco feature for a small LAN but when working ... with large networks with roaming users, I would use Port Authentication ... Identity Based Network Security and uses 802.1x at the client ... firewall with virus/spam protection, URL filtering, ...
      (Security-Basics)
    • RE: Retina
      ... Retina is one of if not the best, but it is also one of the ... Network Administrator ... Information Security Manager ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Security-Basics)
    • Re: Is IDS/IPS worthless?
      ... What experience I have with network auditing has forced home the idea ... no elephants -- it's easy to say that IDS is worthless when you aren't ... > operations and security is a critical component of IT. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-IDS)
    • RE: Is IDS/IPS worthless?
      ... often seen as a pure overhead, adding nothing to the bottom line. ... scenario where the corporate network is infected/attacked with something ... >> operations and security is a critical component of IT. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-IDS)
    • SecurityFocus Microsoft Newsletter #50
      ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
      (Focus-Microsoft)