Re: Firewalls (was Re: IDS evaluations procedures)

[Nick Black <dank () qemfd net>]

Richard Bejtlich rigorously showed:
> In fact, you could argue the IPS is a step backward from a stateful
> layer 3/4 firewall in that the IPS inverts a proven security model. 
> Good security (implemented on most firewalls) says "allow what policy
> says is authorized, deny all else."  The IPS model says "deny what
> policy says is malicious, allow all else."  Marty pointed this out a
> while ago and it has stayed with me.

This statement seems quite too general -- who is to define the "IPS
model" as it is implemented in a wide swath of appliances? I can speak
with some authority regarding our hybridized approach here at Reflex,
and suggested deployment procedure: the very first activity performed on
a new install is the same determination of necessary network traffic one
would codify when preparing a link/network/transport-layer firewall.
Signature and anomaly-based detection follows this basic {protocol X
addressing}-based blacklisting (although it can also be applied to data
already rejected, should a customer wish to spend resources examining
such). 

Your issue seems to be more properly with those who configure IPS
devices, and perhaps those who write misleading documentation and
marketing info, than with the "IPS model".

-- 
nick black          "np:  the class of dashed hopes and idle dreams."

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------