Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] Comparison of

from [detmar.liesen@gmx.de] Network Security [Permanent Link]
Subject: Re: [ISSForum] Comparison of
Date: Tue, 25 Jan 2005 20:44:21 +0100 
Hi Dan, hi list,
answers inline:

Dan Widger wrote:

I'd like to know how technical networking security
professionals would compare MS ISA / proxy firewall, with the
capabilities of an IPS, versus a web application firewall solution
(Kavado / Sanctum / Teros / NetContinuum). If we wanted to go a level
deeper, we could throw a MS ISA firewall with ISS Server sensor into the
mix.

I don't know MS ISA very well, but from what i've heard it's quite useful in smaller environments with medium security.

In high security environments i would strongly recommend a full blown proxy firewall AND an IDS or IPS.

ISA might be really good for several purposes, but i still think that vendors that specialize in proxy and firewall systems are better. Especially when they have a E3/high certificate (european certificate) or better you can be sure that the design and implementation are solid.

In addition i would think about some kernel-level protection software, - something that protects you from buffer overflows - on webservers and an IPS or IDS.
One drawback with IPS is that some false positives could cause denial of service, so you should be carefull with active responses like packet dropping and tcp-reset. Thorough tuning of policies is required.

            At stake is a web application, operating in a secure subnet
/ dmz.  If the objective to the "protect" all the servers in the secure
subnet, which device would be adequate, and which may be inadequate for
providing protection from internet attack against servers in the "secure
subnet"?


All of the three options could be adequate. This depends on what level of security and availability you need. There are also products available that specialize in securing web (http) applications.
When using https you can terminate the ssl encryption an a proxy and put an IPS inline. Of course this is no end-to-end encryption but this way you have a chance to filter out malicious stuff before it hits your web servers.


Does anyone have any quantitative experience comparing Web
Application Firewalls with IPS? 


Both are part of your security toolbox.


In my humble opinion, all of these solutions are variations
of a proxy solution.

No, an IPS is no proxy since a proxy is an application that does not simply forward packets as they ar, it provides a service to a client and requests that service from another server.
A proxy can load a website and serve that site to a client in another format or with limited content (e.g. stripping active x or scripts off the code).

An IPS does not alter contents. If a content is malicious it triggers an alert and (if configured) drops the whole packet or even the connection.

Of course those things tend to intermix in some products, e.g. with Check Point Application Intelligence.

In my partially informed mind, the real question
is what application or protocol (PAM) intelligence is applied on top of
the proxy.

An IPS can use simple patterns (signatures) and some more sophisticated heuristics. Protocol analysis is somewhat different if you look at ISS.
ISS uses signatures AND protocol analysis. With signatures you look for a pattern of a kown exploit. With protocol analysis you can detect when a known vulnerability is being exploited, like <IF protocol message xyz contains a string longer than 255 bytes THEN...>. This assumes that the analysis module kwows the structure of the protocol and even detects a protocol if it doesn't run on the default port.

The good thing with signatures is: You know exactly (by name) what attack hits your network.
The good thing with protocol analysis is: You can detect new (zero day) exploits.
Thus you might get two alerts for the same event: one for the signature-hit, one for the vulnerability-hit.

ISS folks: Did i get that right?
;)

One resource made the analogy that IPS is "a mile wide, and
a foot deep", and web app firewall is "a foot wide, and a mile deep".
In this discussion, ISA is a general proxy with MS networking
intelligence, and would therefore be shallower in terms of overall "deep
packet inspection" capabilities.


I cannot confirm that. This depends on the product implementation, not on the general approach.

HTH,
Detmar
_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISSForum] Key Licence Failure on Upgrade, Luis Daniel Lucio Quiroz
Next by Date:  Re: [ISSForum] setting time for automatic db backup, detmar.liesen@gmx.de
Previous by Thread:  [ISSForum] Comparison of, Dan Widger
Next by Thread:  [ISSForum] RE: ISSForum Digest, Vol 12, Issue 13, Venkat Raman Govinda Raj
Indexes:  [Date] [Thread] [Top] [All Lists]