On 30/03/06 08:30 -0800, Andrew Plato wrote:
If by firewall, you mean a proxy which validates protocols
and is in default deny mode, then you are just wrong.
If I don't have a proxy for it, I don't let the traffic through works
just fine.
An IPS looks at stuff on the wire, decides what is bad, and blocks it.
A real firewall looks at stuff on the wire, decides what is good,
and allows it. A real firewall hooks into everything (servers,
network equipment, desktops...).
Proxy firewalls make up a small (and shrinking) percentage of the market
of firewalls. And having worked with over 500 different companies, my
And that market-share is relevant how? Just because everyone thinks the
world is flat does not make it so.
experience is that proxy-based firewalls are rarely deployed in the
manner you describe. The default deny from unknown or unallowed
protocols is almost ALWAYS turned off because it breaks some important
And that justifies an IPS?
businesses system that was poorly coded. Furthermore, a proxy validating
Then the right thing to do is to fix the application.
protocols still cannot stop a lot of exploits. Plenty of exploits live
quite comfortably inside the RFC-specs for a protocol. And in this case,
your proxy-firewall would do nothing to stop them.
Actually, the proxy would know what valid traffic to expect. Regular
expressions are nice if used properly. Plug in a reverse proxy in front
of your webserver and block queries with SQL(ish) content embedded.
If you think that you can run an Internet facing system without knowing
what is on the network, you are just plain wrong.
Most firewalls have no insight into application-layer content. And most
ITYM packet filters and not firewalls.
exploits are application-layer exploits. This isn't just some insane
idea, it's a fact. You can ignore this and tell yourself 10000 times you
don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls
are not sufficient protection for most organizations.
Other than networking stack issues, everything else is an application
layer exploit. Not having a service installed, not running it, staying
patched, using proxies correctly, using well coded software, watching
your logs.....
Once you have a firewall in place, you need a system which
analyses logs and traffic which gets through your firewall.
Which is why you sandwich your firewall with a good IPS, so you can see
what gets through and block it - if necessary.
IDS yes, IPS no. Oh, and good backups.
Devdas Bhagat
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
