It would be difficult to dub IPS as a better firewall as traditional and
Layer 7 firewalls fall more into the category of the IDS/IPS solutions
based on signature analysis(Consider the DoS attack scenarios or where
attacks are going across multiple sessions). IDS solutions do tend to
handle all kinds of protocol and behavioral anomalies which give a true
picture of a network under attack.
If we were to draw a simplified architecture, an IPS solution is kind of
like an IDS analysis block with an inbuilt firewall/protection
mechanism.
Now if we go by the reasoning of putting an IPS/Firewall ahead to reduce
alerts, that would lead to an incorrect depiction of the attack scenario
because many times it is essential to do a forensic analysis of all the
traffic which is hitting the network to reach the conclusion that an
attack is underway.
When is an IPS useful ? I would say when we want to clean up our pipes
by dropping the well-identified malicious traffic at the perimeters.
----------------------------------------------
To have known the best, and to have known it for the best, is success in
life.
-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@gmail.com]
Sent: Monday, July 18, 2005 6:10 PM
To: Devdas Bhagat; focus-ids@securityfocus.com
Subject: Re: Firewalls (was Re: IDS evaluations procedures)
On 7/17/05, Devdas Bhagat <devdas@dvb.homelinux.org> wrote:
An IDS is not an attack prevention mechanism. An IDS is a tool to
detect when your active attack detection mechanisms have been
bypassed. An IDS is passive. It tells you what it can see, but it is
not supposed to do anything to that traffic. Active elements are
called firewalls, and firewalls include both packet filters and
proxies.
Wow, I had almost given up hope that anyone else thought this way.
Bravo Devdas. The "IPS is better than IDS" crowd ignores the fact that
an IPS is another kind of firewall, not an "improved" IDS.
In fact, you could argue the IPS is a step backward from a stateful
layer 3/4 firewall in that the IPS inverts a proven security model.
Good security (implemented on most firewalls) says "allow what policy
says is authorized, deny all else." The IPS model says "deny what
policy says is malicious, allow all else." Marty pointed this out a
while ago and it has stayed with me.
I think IPS is helpful when one needs to make granular access control
decisions based on layer 7 traffic characteristics. However, large
parts of the security community are still confused by a marketing
person's decision to replace the letter "D" with a "P" in the I_S
acronym.
Thank you,
Richard
http://www.taosecurity.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
