Re: Intrusion Prevention Firewall

[Gary Flynn <flynngn () jmu edu>]

"Marcus J. Ranum" wrote:
> I suspect you are referring to "intrusion prevention" - which is a
> hot new marketing term but basically everything that's being billed
> as "intrusion prevention" is just firewalling + antivirus with
> a bit of fresh paint on it.

Perhaps my understanding is naive. I've always thought of firewalls as
blindly blocking protocols, addresses, or unsolicited connection 
attempts according to policy. More of a risk management device minimizing
access based on "traffic profiling" if you will, than a device which makes 
decisions about the hostility of a particular piece of traffic.

I've thought of IDS systems as devices able to determine the
hostility of a particular piece of traffic, but, unfortunately,
mostly as a passive monitor of the process.

I'd consider an intrusion prevention system to be one as smart as an IDS 
with the capability to block associated traffic like a firewall. So I'd be 
able to allow incoming FTP, telnet, and ssh but the device would stop 
buffer overflow attempts. And I'd be able to allow incoming HTTP to neophyte
Windows 2000 machine owners but the device would block attempts at 
cmd.exe or default.ida. Proxy based firewalls are probably the closest
to what I'm looking for but I was under the impression that they
don't have as wide an understanding of intrusion signatures as do IDS 
boxes and the number of protocols supported by proxies are limited.

Am I hopelessly misinformed or outdated?

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards