Hi Jacob,
Here's the way I see it:
1. Firewalls filter
2. IDSs alarm
3. Both Firewalls and IDSs have to have "some" degree of "smarts" to be able to
do their
respective jobs.
4. "Smarts" when applied to filters OR detection systems, is largely a function
of how many
layers of the protocol stack the system understands. E.g., Cisco standard
ACLs (earliest
version of router used to also do firewall-like filtering) could ONLY filter
on source IP.
Then, Cisco introduced extended ACLs... NOW the router could filter on src &
dest IP, AND
src & dest PORT number <--- that is, the router would look into layer 4 (TCP
or UDP) to
see what the port numbers were... hence "smarter" filtering decisions.
5. IDSs need to be "smart" as well. E.g., if an IDS sees inbound Syn traffic
going TO port 53 (DNS)
on a box that is NOT an a DNS server, that may likely indicate someone doing
some recon. So
the IDS is getting cueing from layer 4 info (the port numbers). Also, most
good IDSs will
also need to inspect payload, which is MOST DIFFICULT due to the wide
variety of applications
that the payload applies to.
6. Since both filtering devices (e.g., routers and firewalls) and IDS devices
need to be "smart"
enough to detect foul play.... why not admit the obvious and combine the two
technologies?
This is why the NEW buzz tech these days is IPS (Intrusion Prevention
Systems)-- that is; if
you're smart enough to flag traffic as an intrusion attempt... then why not
block it!! Duh.
You will also see this new tech referred to as IDP (Intrusion Detection and
Prevention).
7. I think the vendors are taking this relatively simple concept (i.e., the
joining of two basic
technologies) and just writing about it in 100 different ways. It may seem
like 100 different
things... but it's not. Sure... the exact DETAILS of HOW each vendor
actually implements their
detection may vary... but the basic idea is straight forward and simple.
JD Fulp
Lecturer, Naval Postgraduate School
-----Original Message-----
From: Jacob Winston [mailto:jctx09@yahoo.com]
Sent: Sunday, August 15, 2004 7:46 PM
To: focus-ids@securityfocus.com
Subject: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
Things are getting a little confusing. ISS claims that its Proventia boxes are
also firewallas. Intrushield 2.1 has firewall/layer 4 filtering capabilities
now. If the Intrushield box layer 4 acls now then what makes it not be equal to
a firewall? What does a firewall do that an IPS doesn't as long as the IPS can
do layer-4 access lists? Any info is apprecaited.
--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN
appliances
New threats and vulnerabilities require new high-performance IPSec VPN
solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and
learn how to successfully integrate IPSec security into VPN processors and
appliances to provide powerful yet cost-effective VPN solutions for your
customers.
Register now:
http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------
--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN
appliances
New threats and vulnerabilities require new high-performance IPSec VPN
solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and
learn how to successfully integrate IPSec security into VPN processors and
appliances to provide powerful yet cost-effective VPN solutions for your
customers.
Register now:
http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------
