Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RE: IDS vs. IPS deployment feedback

from [Andrew Plato] Network Security [Permanent Link]
Subject: RE: RE: IDS vs. IPS deployment feedback
Date: Thu, 30 Mar 2006 08:30:51 -0800 


If by firewall, you mean a proxy which validates protocols 
and is in default deny mode, then you are just wrong.



If I don't have a proxy for it, I don't let the traffic through works

just fine.


An IPS looks at stuff on the wire, decides what is bad, and blocks it.
A real firewall looks at stuff on the wire, decides what is good, 
and allows it. A real firewall hooks into everything (servers, 
network equipment, desktops...).


Proxy firewalls make up a small (and shrinking) percentage of the market
of firewalls. And having worked with over 500 different companies, my
experience is that proxy-based firewalls are rarely deployed in the
manner you describe. The default deny from unknown or unallowed
protocols is almost ALWAYS turned off because it breaks some important
businesses system that was poorly coded. Furthermore, a proxy validating
protocols still cannot stop a lot of exploits. Plenty of exploits live
quite comfortably inside the RFC-specs for a protocol. And in this case,
your proxy-firewall would do nothing to stop them. 

Most firewalls have no insight into application-layer content. And most
exploits are application-layer exploits. This isn't just some insane
idea, it's a fact. You can ignore this and tell yourself 10000 times you
don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls
are not sufficient protection for most organizations. 


Once you have a firewall in place, you need a system which 
analyses logs and traffic which gets through your firewall.


Which is why you sandwich your firewall with a good IPS, so you can see
what gets through and block it - if necessary.

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: IDS vs. IPS deployment feedback, Jean-Philippe Luiggi
Next by Date:  Re: RE: RE: IDS vs. IPS deployment feedback, Sanjay Rawat
Previous by Thread:  Re: Re: RE: RE: IDS vs. IPS deployment feedback, trashcanmn
Next by Thread:  Could signature-based ips/ids covers file format vulnerability attack?, Alice Bryson
Indexes:  [Date] [Thread] [Top] [All Lists]