Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

from [Rob Shein] Network Security [Permanent Link]
Subject: RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
Date: Wed, 18 Aug 2004 15:31:32 -0400 
Last month, Richard Beijtlich (sorry if I mangled your last name, Rich) said
the following:

"If I could have one wish granted, it would be for the IPS to be recognized
as a layer 7 firewall, and not compared to an IDS."

That sentence really resonated with me.  It seems to make a lot of sense to
me that an IPS might eventually be what gets used as a firewall...one which
takes the next evolutionary step.  

At first, there were packet filters, which only cared about what ports were
used and which hosts were talking; they were ignorant with regard to
connection state, fragmentation, or any other aspects of the communication.
And they failed to account for services like FTP, where an outside host
needs to open a second inbound channel on an unpredictable port to the
server.  But it definitely cut back on the exposure of a network to outside
attackers.

Then came stateful inspection, which addressed some of these problems.  Now,
you couldn't just slip things through a firewall as easily just by setting a
source port of 53.  And because the firewall could do packet inspection to a
certain degree, FTP would work transparently as well.  And it could reject
fragmented packets, or other packets that were deliberately malformed  But
it still couldn't tell the intent of the traffic passing back and forth; a
simple GET request for "www.foo.org/index.html" looked the same to it as a
GET request that used the unicode attack to traverse directories and grab a
copy of the SAM.  But just the same, it cut back even more on the exposure
level.

But what if the next step was to be able to specify not just that, but also
to weed out a good bit of the hostile activity that would otherwise pass
through unnoticed by the firewall?  Mind you, I'm not saying that I think
IPS would catch everything, or that it could even watch for attacks on all
protocols, but it can definitely stop a good chunk of them.  The exposure of
your network has gone down, yet again.

Even better is that I would expect an IPS to stop the most mundane and
common attacks, the ones used by the ankle-biters.  And while these are
easier to deal with in the first place, nonetheless machines do go
accidentally unpatched (or misconfigured), and the kiddies are so numerous
that I feel that their attacks are the largest threat, based on sheer force
of numbers.  So the next level IPS/firewall/whatever you call it has cut
back on most of the background noise, allowing you to focus on the really
unique and truly dangerous (and, as Mudge once said, "really cool") hacks.


-----Original Message-----
From: Jacob Winston [mailto:jctx09@yahoo.com] 
Sent: Sunday, August 15, 2004 10:46 PM
To: focus-ids@securityfocus.com
Subject: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)




Things are getting a little confusing. ISS claims that its 
Proventia boxes are also firewallas. Intrushield 2.1 has 
firewall/layer 4 filtering capabilities now. If the 
Intrushield box layer 4 acls now then what makes it not be 
equal to a firewall? What does a firewall do that an IPS 
doesn't as long as the IPS can do layer-4 access lists? Any 
info is apprecaited.

--------------------------------------------------------------
------------
FREE Network Security Webinar - How to implement IPSec 
security into VPN appliances 
 
New threats and vulnerabilities require new high-performance 
IPSec VPN solutions for network protection. Join the security 
experts from SafeNet on August 26 at 1:00 PM (Eastern), and 
learn how to successfully integrate IPSec security into VPN 
processors and appliances to provide powerful yet 
cost-effective VPN solutions for your customers. 
Register now:


http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------




--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN 
appliances 
 
New threats and vulnerabilities require new high-performance IPSec VPN 
solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and 
learn how to successfully integrate IPSec security into VPN processors and 
appliances to provide powerful yet cost-effective VPN solutions for your 
customers. 
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Linux SuSe host base IDS., Dennis Carter
Next by Date:  Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?), Srini
Previous by Thread:  RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?), Gary Halleen
Next by Thread:  Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?), M. Dodge Mumford
Indexes:  [Date] [Thread] [Top] [All Lists]