Re: Firewalls (was Re: IDS evaluations procedures)

From: Richard Bejtlich (taosecurity_at_gmail.com)
Date: 07/19/05

  • Next message: Beauford, Jason: "RE: ids implementation" 
    Date: Mon, 18 Jul 2005 21:09:42 -0400
To: Devdas Bhagat <devdas@dvb.homelinux.org>, focus-ids@securityfocus.com

    On 7/17/05, Devdas Bhagat <devdas@dvb.homelinux.org> wrote:

    > An IDS is not an attack prevention mechanism. An IDS is a tool to detect
    > when your active attack detection mechanisms have been bypassed. An IDS is
    > passive. It tells you what it can see, but it is not supposed to do
    > anything to that traffic. Active elements are called firewalls, and
    > firewalls include both packet filters and proxies.
    >

    Wow, I had almost given up hope that anyone else thought this way.
    Bravo Devdas. The "IPS is better than IDS" crowd ignores the fact
    that an IPS is another kind of firewall, not an "improved" IDS.

    In fact, you could argue the IPS is a step backward from a stateful
    layer 3/4 firewall in that the IPS inverts a proven security model.
    Good security (implemented on most firewalls) says "allow what policy
    says is authorized, deny all else." The IPS model says "deny what
    policy says is malicious, allow all else." Marty pointed this out a
    while ago and it has stayed with me.

    I think IPS is helpful when one needs to make granular access control
    decisions based on layer 7 traffic characteristics. However, large
    parts of the security community are still confused by a marketing
    person's decision to replace the letter "D" with a "P" in the I_S
    acronym.

    Thank you,

    Richard
    http://www.taosecurity.com

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Beauford, Jason: "RE: ids implementation"

    Relevant Pages

    • RE: Firewalls (was Re: IDS evaluations procedures)
      ... It would be difficult to dub IPS as a better firewall as traditional and ... Layer 7 firewalls fall more into the category of the IDS/IPS solutions ... IDS solutions do tend to ... picture of a network under attack. ...
      (Focus-IDS)
    • RE: IDS vs. IPS deployment feedback
      ... Well, I am a security professional, and I am very much sold on IPS. ... Firewalls are not IPSs. ... IDS Dead? ...
      (Focus-IDS)
    • RE: IDS vs. IPS deployment feedback
      ... on a IPS that you do not have to worry about on an IDS. ... all security solution which is far from the truth. ... They simply do not have the time or resources to baby an IDS and perform ... Firewalls are ABSOLUTELY PERFECT and IDSs are manned by eternally ...
      (Focus-IDS)
    • Re: Firewalls (was Re: IDS evaluations procedures)
      ... > when your active attack detection mechanisms have been bypassed. ... > firewalls include both packet filters and proxies. ... Traditionally your definition of an IDS is correct but in the current ... analysis and in some case mitigation devices out there. ...
      (Focus-IDS)
    • Re: IDS vs. IPS deployment feedback
      ... IPS is far from immature. ... In comparison to IDS, ... end all be all security solution which is far from the truth. ... Even application firewalls, of which there are ...
      (Focus-IDS)