Firewall Wizards mailing list archives
RE: IPS (was: Sources for Extranet Designs?)
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 27 Feb 2004 09:27:31 +0100
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () ranum com] Sent: Thursday, February 26, 2004 11:00 PM To: Stiennon,Richard; Ben Nagy; firewall-wizards () honor icsalabs com Subject: RE: IPS (was: [fw-wiz] Sources for Extranet Designs?) Stiennon,Richard wrote:Network IPS: An inline device that assembles packets into streams orsessions and parses them. So far, that's a "firewall" - the first firewalls did all that inherently since they were proxies.
[...]
Multiple methodologies to determine malicious intent.Usually includes signature, protocol anomaly, behavior and flow capabilities. Many first generation proxy firewalls did this, too. DEC SEAL had a rate limiter feature that would saw off a connection that attempted to tunnel outgoing traffic over an FTP command stream or TELNET session. Protocol anomaly detection was inherent in most if not all of the early proxy firewalls.
[...] Yeah, this is kind of the point I was getting at before. I (personally) think that protocol anomaly stuff is cool - it's less liable to false positives, for a start, and that's my biggest fear. I also think that the 'real' (true proxy) firewalls have two massive problems for our environment today. First, they're Too Damn Slow (for some marketing definition of slow) and second it's the wrong place to step in, since single chokepoint networks are about as common as green diamonds. Not to mention that there aren't as many true proxies as protocols people absolutely desperately need to do business. [...]
Intrusion Prevention CAN'T be something as simple and stupid and ancient as a firewall that detects and closes sessions based on application layer attack detection. That's not sexy, is it? And sexing up and hyping stuff is your job, isn't it? Those startups' marketing departments aren't gonna pay Gartner big bucks to put them on the proxy firewall magic quadrant, are they?
Sounds pretty sexy to me - I'd buy one that worked, as long as it could also deal with the problem network wide. :) [...]
Host IPS: A software shim (firewall) that sits between the kernel andthe application. System calls are intercepted and blocked if they are outside the "allow" policy.
[...]
Much simpler space with only three vendors, Cisco SecureAgent (was Okena), NAI Entercept, and Sana Security. A start up called Araksha is also looking at this space but they go much deeper into the application at run time. What about the stack-based shims like Network Ice, Tiny Trojan Trap, even ZoneAlarm, that handle network traffic inline and also are aware of application state?
Exactly. Trying to "fix" the windows stack / memory addressing / system call model is like herding cats. In addition it's slow. Stack shims have way less bandwidth and less stuff to check.
The firewall vendors are excited by IPS because it is a product that can be deployed deep inside a network.Everyone is excited about IPS because Gartner has hyped the hell out of it and Gartner's own analysts (apparently) can't come up with a decent definition of what it is.
[...]
I'll tell you what it is: it's hype. That's all.
[...]
Gartner has created a self-fulfilling circle-jerk.
(drunk voice) "I love you, man." [...]
Some of the network IPS vendors are profiting from the needto throttle undesirable traffic (file sharing) at universities. Anyone on the list care to corroborate this?
Uh, why wouldn't they use traffic shaping, which is mature and cheaper? Is a standard Cisco router an inline IPS now? Cool! ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IPS (was: Sources for Extranet Designs?) Stiennon,Richard (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- <Possible follow-ups>
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS Gary Flynn (Feb 26)
- Re: Re: IPS David Thiel (Feb 26)
- Re: Re: IPS Gary Flynn (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 29)