On 7/20/05, Nick Black <dank@qemfd.net> wrote:
Richard Bejtlich rigorously showed:
In fact, you could argue the IPS is a step backward from a stateful
layer 3/4 firewall in that the IPS inverts a proven security model.
Good security (implemented on most firewalls) says "allow what policy
says is authorized, deny all else." The IPS model says "deny what
policy says is malicious, allow all else." Marty pointed this out a
while ago and it has stayed with me.
This statement seems quite too general -- who is to define the "IPS
model" as it is implemented in a wide swath of appliances? I can speak
with some authority regarding our hybridized approach here at Reflex,
and suggested deployment procedure: the very first activity performed on
a new install is the same determination of necessary network traffic one
would codify when preparing a link/network/transport-layer firewall.
Signature and anomaly-based detection follows this basic {protocol X
addressing}-based blacklisting (although it can also be applied to data
already rejected, should a customer wish to spend resources examining
such).
Your issue seems to be more properly with those who configure IPS
devices, and perhaps those who write misleading documentation and
marketing info, than with the "IPS model".
Hi Nick and list,
If someone configures their layer 3/4 firewall to block, say, ports
111 TCP and 445 TCP, and let everything else pass, we would agree that
is a poor deployment model. People still do this, unfortunately.
If someone configures their layer 7 firewall (aka IPS) to block
traffic identified by signature, anomaly, vulnerability, whatever, and
let everything else pass, now we're discussing the way almost everyone
deploys IPSs.
I have not heard anyone defining and passing "authorized" traffic and
denying everything else via IPS. In fact, a hot hardware item these
days are inline bypass switches to avoid inline IPSs that fail.
"Better to keep the traffic flowing than fail closed!" is the
rationale.
I detest the term IPS, as it is a pure marketing term. It was created
by companies that needed to define a new access control product niche
to compete against the firewall giants of the early 2000s. (All
defensive measures are trying to prevent intrusions.)
However, I am not disrespecting the technology. Anything which can
make smarter access control decisions is extremely helpful and an
important part of the security arsenal.
Sincerely,
Richard
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
