RE: IPS (was: Sources for Extranet Designs?)

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr () ranum com] 
> Sent: Thursday, February 26, 2004 11:00 PM
> To: Stiennon,Richard; Ben Nagy; firewall-wizards () honor icsalabs com
> Subject: RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
>
> Stiennon,Richard wrote:
> > Network IPS:
> > An inline device that assembles packets into streams or 
> sessions and parses them.
>
> So far, that's a "firewall" - the first firewalls did all 
> that inherently since they were proxies. 
[...]
> > Multiple methodologies to determine malicious intent. 
> Usually includes signature, protocol anomaly, behavior and 
> flow capabilities. 
>
> Many first generation proxy firewalls did this, too. DEC SEAL 
> had a rate limiter feature that would saw off a connection 
> that attempted to tunnel outgoing traffic over an FTP command 
> stream or TELNET session. Protocol anomaly detection was 
> inherent in most if not all of the early proxy firewalls.
[...]

Yeah, this is kind of the point I was getting at before. I (personally)
think that protocol anomaly stuff is cool - it's less liable to false
positives, for a start, and that's my biggest fear. I also think that the
'real' (true proxy) firewalls have two massive problems for our environment
today. First, they're Too Damn Slow (for some marketing definition of slow)
and second it's the wrong place to step in, since single chokepoint networks
are about as common as green diamonds. Not to mention that there aren't as
many true proxies as protocols people absolutely desperately need to do
business.

[...]
> Intrusion Prevention
> CAN'T be something as simple and stupid and ancient as a 
> firewall that detects and closes sessions based on 
> application layer attack detection. That's not sexy, is it? 
> And sexing up and hyping stuff is your job, isn't it? Those 
> startups' marketing departments aren't gonna pay Gartner big 
> bucks to put them on the proxy firewall magic quadrant, are they?

Sounds pretty sexy to me - I'd buy one that worked, as long as it could also
deal with the problem network wide. :)

[...]
> > Host IPS:
> >
> > A software shim (firewall) that sits between the kernel and 
> the application. System calls are intercepted and blocked if 
> they are outside the "allow" policy.
[...]
> >  Much simpler space with only three vendors, Cisco Secure 
> Agent (was Okena), NAI Entercept, and Sana Security.  A start 
> up called Araksha is also looking at this space but they go 
> much deeper into the application at run time. 
>
> What about the stack-based shims like Network Ice, Tiny 
> Trojan Trap, even ZoneAlarm, that handle network traffic 
> inline and also are aware of application state?

Exactly. Trying to "fix" the windows stack / memory addressing / system call
model is like herding cats. In addition it's slow. Stack shims have way less
bandwidth and less stuff to check.

> > The firewall vendors are excited by IPS because it is a 
> > product that can be deployed deep inside a network.
>
> Everyone is excited about IPS because Gartner has hyped the 
> hell out of it and Gartner's own analysts (apparently) can't 
> come up with a decent definition of what it is.
[...]
> I'll tell you what it is: it's hype. That's all.
[...]
> Gartner has created a self-fulfilling circle-jerk.

(drunk voice) "I love you, man."

[...]
> > Some of the network IPS vendors are profiting from the need 
> to throttle undesirable traffic (file sharing) at universities. 
>
> Anyone on the list care to corroborate this?

Uh, why wouldn't they use traffic shaping, which is mature and cheaper? Is a
standard Cisco router an inline IPS now? Cool!

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards