IDS mailing list archives
RE: RE: IDS vs. IPS deployment feedback
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Thu, 30 Mar 2006 08:30:51 -0800
If by firewall, you mean a proxy which validates protocols and is in default deny mode, then you are just wrong.
If I don't have a proxy for it, I don't let the traffic through works
just fine.
An IPS looks at stuff on the wire, decides what is bad, and blocks it. A real firewall looks at stuff on the wire, decides what is good, and allows it. A real firewall hooks into everything (servers, network equipment, desktops...).
Proxy firewalls make up a small (and shrinking) percentage of the market of firewalls. And having worked with over 500 different companies, my experience is that proxy-based firewalls are rarely deployed in the manner you describe. The default deny from unknown or unallowed protocols is almost ALWAYS turned off because it breaks some important businesses system that was poorly coded. Furthermore, a proxy validating protocols still cannot stop a lot of exploits. Plenty of exploits live quite comfortably inside the RFC-specs for a protocol. And in this case, your proxy-firewall would do nothing to stop them. Most firewalls have no insight into application-layer content. And most exploits are application-layer exploits. This isn't just some insane idea, it's a fact. You can ignore this and tell yourself 10000 times you don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls are not sufficient protection for most organizations.
Once you have a firewall in place, you need a system which analyses logs and traffic which gets through your firewall.
Which is why you sandwich your firewall with a good IPS, so you can see what gets through and block it - if necessary. _____________________________________ Andrew Plato, CISSP, CISM President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback, (continued)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 23)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Mar 27)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Mar 27)
- Re: RE: IDS vs. IPS deployment feedback xris375 (Mar 27)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 28)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 31)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: RE: IDS vs. IPS deployment feedback xris375 (Mar 30)
- Re: RE: RE: IDS vs. IPS deployment feedback Sanjay Rawat (Mar 31)
- Re: Re: RE: RE: IDS vs. IPS deployment feedback trashcanmn (Mar 31)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 31)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 23)