Re: IDS vs Application Proxy Firewall

[Stefano Zanero <s.zanero () securenetwork it>]

"Zow" Terry Brugger wrote:

> Unless it is a transparent application proxy, 

Given. Still, it works at the application layer, otherwise it is a
cunningly-renamed stateful firewall which performs deep inspection.

> Unless it is an IPS, in which case 

In which case it is not an IDS, and thus not in scope with the original
question :)

> The difference I'd see is that network IDS/IPS devices typically look
> for specific signatures (sequences of bytes, regular expressions,
> certain flags set in the headers, etc) on a session (TCP, UDP, ICMP)
> or network (IP) level packet. 

Counterexamples: Arbor, Lancope

> Most can do some degree of session
> reassembily, but only in so far as to catch signatures which are
> divided across multiple packets. 

I'm pretty sure that Martin Roesch, if he reads, will have something to
say here :)

-- 
Cordiali saluti,

Ing. Stefano Zanero, PhD
CTO & Co-Founder

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI)
Phone: +39 02.24126788
Fax: +39 02.24126789
email: s.zanero () securenetwork it
web: www.securenetwork.it

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------