Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firewalls (was Re: IDS evaluations procedures)

from [Devdas Bhagat] Network Security [Permanent Link]
Subject: Re: Firewalls (was Re: IDS evaluations procedures)
Date: Thu, 21 Jul 2005 05:34:24 +0530 
On 19/07/05 13:55 +0800, Fergus Brooks wrote:

Devdas you say:


An IDS is not an attack prevention mechanism. An IDS is a tool to detect
when your active attack detection mechanisms have been bypassed. An IDS is
passive. It tells you what it can see, but it is not supposed to do
anything to that traffic. Active elements are called firewalls, and
firewalls include both packet filters and proxies.


Traditionally a firewall is nothing more than a gatekeeper that
permits or denies traffic based on a predefined policy. "Active" in
that it is powered on, but only as intelligent as its featureset
allows for. The ability to monitor state was one of the first of these
more advanced features and now the sky is the limit.


I meant active in the sense that it modifies traffic flowing through it
(or can). As opposed to a passive device which looks at the traffic, but
does nothing other than report what it is seeing.


You mention proxies - application-layer firewalls like
Gauntlet/Sidewinder and Raptor/SEF have the ability to look at traffic
in far more detail, in fact they spawn other processes to communicate
with the destination devices, this is more "active," still a firewall
by definition though.

Traditionally your definition of an IDS is correct but in the current
network security market and the amount of high-level salespeak used to
describe the features of IDS, IPS & firewalls, one could be forgiven
for using the generic tag IDS to describe any number of hybrid
detection, analysis and in some case mitigation devices out there.


In which case, we should take the terminology back from the sales
people :).


To give you an example. Symantec bought Axent for their Raptor
Application-layer Proxy Firewall. They bought Recourse for their
Protocol-anomaly IDS, Manhunt. Manhunt, though always described as an
IDS as it does not sit inline in the network, is capable of sending
reset packets to block anomalously or signature-identified traffic in
mitigation. It can also send mitigation information to firewalls and
IPS devices.


Let me put it this way: The software has two parts, one of which
actively participates in controlling traffic. This is the firewall. The
other part is a monitoring system, which does not actively participate
in controlling the traffic. This is the IDS.

Now, how the two parts are combined is left to the marketing department.



To make things more confusing they have integrated the above with
their AV onto their SGS boxes which are all-in-one security
appliances. Fortigate sell one of these as well, Checkpoint are moving
in that direction as well.



Regardless of how many physical hosts are combined into this, my
definitions work fine. Or to put it in AAA terminology, firewalls do
authentication and authorisation, while IDS systems do accounting.

A feedback loop between the two can be generated by auditing systems,
but the auditing system is then a firewall configuration system and
hence part of the firewall space.


My point is that definitions in this space are all over the place, and
I agree those of us who know the difference need to be careful,
however we should be coming up with accurate ways of describing how
things stand today in terms of actual functionality than outdated
(albeit originally correct) definitions.


Why not just split things logically, regardless of how they are
physically bundled?


For example calling something an"NIPS-NIDS-FW-AV-Content
filter-antispam-washes-the-dishes-as-well appliance" is long winded -
anyone have any ideas?


Firewall and IDS in a box?



Especially where devices that detect and recommend mitigation
solutions - but do not act themselves, no clear name for this - though
Symantec did have something called Intrusion Prevention Solution which
was a combo of point products working together.


Detect and recommend migitation solutions? Sounds like an IDS to me.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Editing ISS RealSecure Network Sensor policy from commandline, ismail syed
Next by Date:  Re: ids implementation, Richard Bejtlich
Previous by Thread:  Re: Firewalls (was Re: IDS evaluations procedures), Fergus Brooks
Next by Thread:  Re: IDS evaluations procedures, Mike Frantzen
Indexes:  [Date] [Thread] [Top] [All Lists]