IDS mailing list archives
Re: IDS vs Application Proxy Firewall
From: "\"Zow\" Terry Brugger" <zow () acm org>
Date: Wed, 22 Oct 2008 11:05:49 -0700
Given. Still, it works at the application layer, otherwise it is a cunningly-renamed stateful firewall which performs deep inspection.
Absolutely, which I think underscores the point I was driving at, but never actually said, which is that the difference between the devices is primarily that of what network layer it's operating at. As with any network devices, as the field advances, we're going to see this line blur.
Unless it is an IPS, in which caseIn which case it is not an IDS, and thus not in scope with the original question :)
Now that's splitting hairs. :-) The market has really shifted from IDS to IPS, and I'd be hard pressed to name a network IDS that didn't have an active response version or add-on.
The difference I'd see is that network IDS/IPS devices typically look for specific signatures (sequences of bytes, regular expressions, certain flags set in the headers, etc) on a session (TCP, UDP, ICMP) or network (IP) level packet.Counterexamples: Arbor, Lancope
Keyword: "typically". Even among the traditional signature based IDSs, many use some more advanced algorithms to detect (and possibly block :-) DoS attacks, where simple threshholding is insufficient due to the false positive rate, especially in the face of (legitimate) flash crowds. (I'm not claiming those algorithms are perfect, or even good, just better.) Arbor and Lancope both offer interesting options in the network anomaly detection department, and there's a plethora of research systems using more advanced techniques. Of course, we don't currently have the means to quantitatively test such systems, which is where my current research interests lie.
Most can do some degree of session reassembily, but only in so far as to catch signatures which are divided across multiple packets.I'm pretty sure that Martin Roesch, if he reads, will have something to say here :)
Oh, certainly -- in fact I would love to hear his thoughts in this area. Cheers, Terry #include <stddisclaim.h> ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs Application Proxy Firewall maash . rajani (Oct 21)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 21)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 22)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 22)
- Re: IDS vs Application Proxy Firewall Arian J. Evans (Oct 24)
- Re: IDS vs Application Proxy Firewall "Zow" Terry Brugger (Oct 22)
- Re: IDS vs Application Proxy Firewall Stefano Zanero (Oct 21)
- <Possible follow-ups>
- Re: Re: IDS vs Application Proxy Firewall ebennett (Oct 22)