Re: Firewalls (was Re: IDS evaluations procedures)

[Richard Bejtlich <taosecurity () gmail com>]

On 7/17/05, Devdas Bhagat <devdas () dvb homelinux org> wrote:

> An IDS is not an attack prevention mechanism. An IDS is a tool to detect
> when your active attack detection mechanisms have been bypassed. An IDS is
> passive. It tells you what it can see, but it is not supposed to do
> anything to that traffic. Active elements are called firewalls, and
> firewalls include both packet filters and proxies.

Wow, I had almost given up hope that anyone else thought this way. 
Bravo Devdas.  The "IPS is better than IDS" crowd ignores the fact
that an IPS is another kind of firewall, not an "improved" IDS.

In fact, you could argue the IPS is a step backward from a stateful
layer 3/4 firewall in that the IPS inverts a proven security model. 
Good security (implemented on most firewalls) says "allow what policy
says is authorized, deny all else."  The IPS model says "deny what
policy says is malicious, allow all else."  Marty pointed this out a
while ago and it has stayed with me.

I think IPS is helpful when one needs to make granular access control
decisions based on layer 7 traffic characteristics.  However, large
parts of the security community are still confused by a marketing
person's decision to replace the letter "D" with a "P" in the I_S
acronym.

Thank you,

Richard
http://www.taosecurity.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------