IDS mailing list archives
Re: Firewalls (was Re: IDS evaluations procedures)
From: Nick Black <dank () qemfd net>
Date: Wed, 20 Jul 2005 20:10:55 -0400
Richard Bejtlich rigorously showed:
In fact, you could argue the IPS is a step backward from a stateful layer 3/4 firewall in that the IPS inverts a proven security model. Good security (implemented on most firewalls) says "allow what policy says is authorized, deny all else." The IPS model says "deny what policy says is malicious, allow all else." Marty pointed this out a while ago and it has stayed with me.
This statement seems quite too general -- who is to define the "IPS model" as it is implemented in a wide swath of appliances? I can speak with some authority regarding our hybridized approach here at Reflex, and suggested deployment procedure: the very first activity performed on a new install is the same determination of necessary network traffic one would codify when preparing a link/network/transport-layer firewall. Signature and anomaly-based detection follows this basic {protocol X addressing}-based blacklisting (although it can also be applied to data already rejected, should a customer wish to spend resources examining such). Your issue seems to be more properly with those who configure IPS devices, and perhaps those who write misleading documentation and marketing info, than with the "IPS model". -- nick black "np: the class of dashed hopes and idle dreams." ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS evaluations procedures, (continued)
- Re: IDS evaluations procedures Justin . Ross (Jul 17)
- RE: IDS evaluations procedures Omar Herrera (Jul 17)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: IDS evaluations procedures Jason (Jul 18)
- RE: IDS evaluations procedures Frank Knobbe (Jul 22)