I agree that a simple packet filtering firewall that makes decisions on
an L2 - L4 basis will not stop an exploit on an allowed port as you
describe. However, I disagree that "a firewall" (a very wide range of
products call themselves that) "will not" (a universal absolute one
ought to be careful of using) protect an MS system form an LSASS
exploit. ALGs integrated into firewalls are getting very good, very
quickly as the firewall vendors work to protect their market from the
incursion of the IPS vendors.
I've said it before and I'll say it again (and I'm sure I'll be flamed
for it again): I think the industry will EITHER see IPS disappear as the
firewall vendors start to do the same L7 inspection things and more on
top of their regular packet filtering duties OR IPS vendors will learn
how to do fast packet filtering on top of their L7 stuff and firewalls
will go the way of the dinosaur for not keeping up. I see no good
reason for both technologies to exist when they are similar enough that
one can be taught to do what the other does.
Regarding IDS, it is a well understood and peer-reviewed tenet of
information security that the most effective security systems have both
detective and preventative controls so I think IDS will continue to have
a place in the security structure (despite what some high profile folk
are paid to say) but they will need to get progressively smarter, more
intuitive and easier to use to stay competitive.
As far as HIPS is concerned, I'm definitely on board. Until context
sensitive IDS / IPS / L7 Firewalls get much better at being able to
CONCLUSIVELY determine the effect of a packet stream on an end system,
we'll always need 'bodyguards' for the high profile targets that are
much more tightly integrated than any off-system protective measure can
be.
My 2 cents,
Scott
-----Original Message-----
From: firewalls-return-4288-swozny=deloitte.com@securityfocus.com
[mailto:firewalls-return-4288-swozny=deloitte.com@securityfocus.com] On
Behalf Of Robert Synak
Sent: Monday, July 11, 2005 1:25 PM
To: firewalls@securityfocus.com
Subject: RE: [SPAM] - Software vs hardware firewalls ... - Email found
in subject
We're missing an important distinction here: the difference between a
firewall and an Intrusion Prevention System (IPS). A firewall will not
protect an MS system from an LSASS (for example) exploit. An Intrusion
Prevention System will protect an MS system from an LSASS exploit.
Firewalls are gatekeepers. They enforce traffic policy: allow port 80
and 443 out from all systems; allow port 25 out from the mail server;
allow port 25 in from any system. But I can hack on port 25 from the
Internet all I want. The firewall doesn't care that my traffic is
benign or mean. They just care that it's on the right port, originating
in the right place, yadda.
IPS systems are not gatekeepers. They typically don't care what port
things come through on. They watch all traffic and if the traffic is
mean they kill it.
Most host based IPS systems combine firewall and IPS functions.
Host based IPS' combined with network based IPS' and effective, well
configured firewalls, create a nice crunchy outer shell that can make a
company difficult to attack from the Internet and mitigate the risk of
internal compromise. They can make an attacker from the Internet look
for a softer target.
Host based IPS' do have their failings. For one, they run with full
privileges in the same memory space as the OSes and applications they
endeavor to defend. Therefore, any breach of the host based IPS - such
as the Witty Worm exploit against ISS Blackice - results in full root of
the system. This sort of problem makes having a network based IPS
sitting in-line on the wire a nice addition to host based IPS'.
Some would say throw everything into the network based IPS and forget
the host based systems. But network based IPS' - without things like
stand-alone SSL accelerators and for inbound SSL traffic and stand-alone
proxy servers terminating outbound client SSL sessions - only see
traffic in the clear. No network based IPS can see inside an encrypted
tunnel, like an SSL or VPN tunnel. However most host based systems shim
the IP stack and actually see all the traffic, encrypted and clear.
This allows one - without deploying SSL termination boxes - to defend
against attacks occurring through encrypted tunnels ... ones a network
based IPS wouldn't catch.
OK host based IPS systems:
> ISS
> EEye Blink
> Sygate Personal Firewall
> Symantec Personal Firewall
All of these can be centrally managed. Symantec and ISS have the most
comprehensive solutions, allowing you to manage host - both server and
desktop - and network IPS from a single box.
__________________________________________________________
Robert Synak, CISSP, CCNA, SCSA, MCSE, JNCIA-FW
Security Engineer
ANITIAN ENTERPRISE SECURITY
3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-807-4429 Mobile
www.anitian.com
__________________________________________________________
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@tacteam.net]
Sent: Sunday, May 08, 2005 7:06 AM
To: firewalls@securityfocus.com
Subject: RE: [SPAM] - Software vs hardware firewalls ... - Email found
in subject
Hi Netnut,
These issues are clouded by the media, as they've misstated the meaning
of so-called "software" and "hardware" firewalls. All computing devices
depend on software, so the division between software and hardware is a
bit misleading.
What you're talking about a host-based firewall versus a network
firewall. Host-based firewalls protect a single machine, while network
firewalls like the Microsoft ISA firewall or Check Point's Firewall-1
(both of which are so-called "software" firewalls) are designed to
protect hundreds or thousands of computers on a corporate network.
Host-based firewalls allow you to limit access to service listeners
(tip: if someone say's "open a port" you know they're not very jiggy on
firewalls or TCP/IP networking), but if you explicitly open a listener,
then any vulnerability in that service is exposed.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: netnut6@comcast.net [mailto:netnut6@comcast.net]
Sent: Saturday, May 07, 2005 2:31 PM
To: firewalls@securityfocus.com
Subject: [SPAM] - Software vs hardware firewalls ... - Email found in
subject
Hello,
I was wondering how a software based firewall(mcafee, Norton etc) can
help protect your machine if the operating system(Windows XP) is
vulnerable?
Also how is a software based firewall any better then hardware. The way
I see it if you have a software based firewall and the operating system
has security issues I doubt very much a software firewall will protect
that machine.whereas if it's a hardware based firewall and the operating
system has vulnerabilities the chances of it being attacked are slim
since they would have to first find some vulnerability with the hardware
firewall then go after the operating system(firewall default settings
with all ports closed). Obviously if a port is open and that
application has a vulnerability then it would get attacked. Please let
me know if I'm on the right track here.
Thank you..
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited. [v.E.1]
