I agree with Faisal that products like Netscreen, Sidewinder G2 are the
products which offer these features. Sidewinder G2 is Hybrid firewall which
is application level firewall.
With Best Regards
Arunodhay Koul
Logix Microsystems Ltd.
New Delhi
Mobile: +91-09350881881
-----Original Message-----
From: Faisal Khan [mailto:faisal@netxs.com.pk]
Sent: Tuesday, July 12, 2005 10:40 AM
To: firewalls@securityfocus.com
Subject: Software vs hardware firewalls
That may be true for the traditional definition of a firewall. But
firewalls have too evolved. Products like Netscreen now offer DPI (Deep
Packet Inspection), which can for example stop viruses and worms, right now
and it won't be long before firewalls will have native IDS capabilities
built-in.
I think the correct word for IPS, IDS, Firewalls, etc. is convergence.
At 10:24 PM 7/11/2005, you wrote:
We're missing an important distinction here: the difference between a
firewall and an Intrusion Prevention System (IPS). A firewall will not
protect an MS system from an LSASS (for example) exploit. An Intrusion
Prevention System will protect an MS system from an LSASS exploit.
Firewalls are gatekeepers. They enforce traffic policy: allow port 80
and 443 out from all systems; allow port 25 out from the mail server;
allow port 25 in from any system. But I can hack on port 25 from the
Internet all I want. The firewall doesn't care that my traffic is
benign or mean. They just care that it's on the right port, originating
in the right place, yadda.
IPS systems are not gatekeepers. They typically don't care what port
things come through on. They watch all traffic and if the traffic is
mean they kill it.
Most host based IPS systems combine firewall and IPS functions.
Host based IPS' combined with network based IPS' and effective, well
configured firewalls, create a nice crunchy outer shell that can make a
company difficult to attack from the Internet and mitigate the risk of
internal compromise. They can make an attacker from the Internet look
for a softer target.
Host based IPS' do have their failings. For one, they run with full
privileges in the same memory space as the OSes and applications they
endeavor to defend. Therefore, any breach of the host based IPS - such
as the Witty Worm exploit against ISS Blackice - results in full root of
the system. This sort of problem makes having a network based IPS
sitting in-line on the wire a nice addition to host based IPS'.
Some would say throw everything into the network based IPS and forget
the host based systems. But network based IPS' - without things like
stand-alone SSL accelerators and for inbound SSL traffic and stand-alone
proxy servers terminating outbound client SSL sessions - only see
traffic in the clear. No network based IPS can see inside an encrypted
tunnel, like an SSL or VPN tunnel. However most host based systems shim
the IP stack and actually see all the traffic, encrypted and clear.
This allows one - without deploying SSL termination boxes - to defend
against attacks occurring through encrypted tunnels ... ones a network
based IPS wouldn't catch.
OK host based IPS systems:
> ISS
> EEye Blink
> Sygate Personal Firewall
> Symantec Personal Firewall
All of these can be centrally managed. Symantec and ISS have the most
comprehensive solutions, allowing you to manage host - both server and
desktop - and network IPS from a single box.
Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Email: faisal@netxs.com.pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk
www.dos-attacks.com
Everything you wanted to know
about DoS/DDoS Attacks
