RE: Firewalls (was Re: IDS evaluations procedures)

From: Mike Barkett (mbarkett_at_nfr.com)
Date: 07/22/05

  • Next message: Mike Murray: "RE: IDS Signature Confidence"
    To: "'Richard Bejtlich'" <taosecurity@gmail.com>, "'Nick Black'" <dank@qemfd.net>
    Date: Fri, 22 Jul 2005 13:56:07 -0400
    
    

    > -----Original Message-----
    > From: Richard Bejtlich [mailto:taosecurity@gmail.com]
    > Sent: Thursday, July 21, 2005 7:56 AM
    >
    > Hi Nick and list,
    >
    > If someone configures their layer 3/4 firewall to block, say, ports
    > 111 TCP and 445 TCP, and let everything else pass, we would agree that
    > is a poor deployment model. People still do this, unfortunately.
    >
    > If someone configures their layer 7 firewall (aka IPS) to block
    > traffic identified by signature, anomaly, vulnerability, whatever, and
    > let everything else pass, now we're discussing the way almost everyone
    > deploys IPSs.

    I've heard/read this wrongheaded argument and its variants over and over
    again. It goes sort of like this: "y'know, in the end IPS is just a
    firewall, and so now I'll proceed to judge it by firewall standards, and
    since it doesn't match my perception of a firewall, it's a poor solution."
    That is called circular reasoning.

    Firewalls have evolved as full-fledged network participants, and some folks
    would argue the firewall is the key component of a well designed network.
    Almost everyone uses them for NAT, many people use built-in VPN
    functionality, and I'll even frequently see people running routing protocols
    on the firewall. This is all in addition to "letting in what's good and
    denying everything else."

    The IPS wields a big sanity stick and uses it frequently to wallop stupid
    traffic. We all know there's lots of stupid traffic out there that still
    gets through the firewall. A high-quality IPS will also be effective at
    warding off real attackers and preventing insiders from doing prohibited
    things.

    This discussion so far has been about what is out there and what people do.
    Today, in 2005, an IPS is a device that compliments your traditional
    firewall, whether it's a L3/4 device or a proxy, or whatever. Today, you
    can get a firewall to be smarter about the traffic it lets through, and you
    can set up an IPS to "let in what's good and deny everything else." I know
    people who DO use their IPS this way. Additionally, there are some products
    that claim to do it all, and truthfully that is probably where things are
    eventually going. But what you cannot do today, in 2005, is cut one check
    to one vendor and receive a single box that contains a best-of-breed IPS and
    a top notch firewall. That is, unless you cut the check to a VAR that sells
    NFR and some firewall and they ship them in the same box. :-D My point is,
    we should not ditch the technology simply because it is not nirvana.

    > I have not heard anyone defining and passing "authorized" traffic and
    > denying everything else via IPS. In fact, a hot hardware item these
    > days are inline bypass switches to avoid inline IPSs that fail.
    > "Better to keep the traffic flowing than fail closed!" is the
    > rationale.

    Two fail passthrough IPSes deployed serially can give non-HA networks a
    level of availability previously only found on fully redundant networks.
    Also, any IPS worth its salt will give the user the ability to
    disable/enable this feature at will. When used without another IPS or
    firewall, yes, fail passthrough is a poor security measure. However, some
    organizations choose to accept this risk, and many actually implement the
    safeguard properly.

    > I detest the term IPS, as it is a pure marketing term. It was created
    > by companies that needed to define a new access control product niche
    > to compete against the firewall giants of the early 2000s. (All
    > defensive measures are trying to prevent intrusions.)

    I agree, the term IPS is somewhat akward, especially to anyone with a
    background in firewalls. I also believe that purism rarely creates value
    for anyone, and security is no exception. It is a growing pain of any
    market to endure tweener products and fad "marketing terms" as the
    technology gets fleshed out. As I said before, we live in today, and this
    is where the technology is.
     
    > However, I am not disrespecting the technology. Anything which can
    > make smarter access control decisions is extremely helpful and an
    > important part of the security arsenal.

    Good! I have some IPS to sell you. (There's my vendor disclaimer.) :)

    -MAB

    --
    (nfr)(security)
    Michael A Barkett, CISSP
    Vice President, Systems Engineering
    5 Choke Cherry Road, Rockville, MD 20850
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: Mike Murray: "RE: IDS Signature Confidence"

    Relevant Pages

    • Re: Analysing and configuring IPS/IDS Policies
      ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
      (Focus-IDS)
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ...
      (Firewall-Wizards)
    • Re: Firewall and IPS Deployment
      ... The deployment depends on: ... IPS can be deployed in front of the Internet Firewall however,you ... need to determine the amount of traffic this IPS would get. ...
      (Security-Basics)
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... it merely does string-matchings on the packets alone. ... Network IPS: ... A software shim (firewall) that sits between the kernel and the application. ... deployed deep inside a network. ...
      (Firewall-Wizards)
    • RE: IPS vs Firewall
      ... Might I suggest using the witty worm as an example? ... > to implement an IPS solution. ... > place the IPS outside the firewall, ... of an Ethical Hacker to better assess the security of your organization. ...
      (Security-Basics)