Andrew Plato wrote:
>I have actually been working on a white paper that aims to define the
>difference between IPS, IDS, and firewall. The paper is obviously biased,
>since I am basing it on my experience and expertise, but essentially my core
>definitions are:
>
A little feedback :)
>IPSs:
>
There are both *host* and *network* IPS's, and they are different
beasties. What you describe here is mostly NIPS.
>- Perform some kind of analysis of communications and/or system behavior to
>identify dangerous or potentially dangerous activity or access.
>
Just like firewalls.
>- Include both rule and signature-based analysis techniques.
>
Where as firewalls are just rule-based.
>- Have the internal ability to *automatically* respond to identified threats
>with an active protection mechanism such as blocking the offending
>communications or preventing malicious code from running.
>
Just like firewalls.
>- Do not rely on a secondary device (like a firewall) to implement
>protection measures.
>
Products that rely on other products to do the prevention strike me as
incomplete. I'm not sure how to classify that.
>- Include a central alerting and reporting mechanism where administrators
>can control the protection/detection engine and analyze events.
>
Just like firewalls.
So the difference between a firewall and a NIPS is that the NIPS has
signature detection/prevention. IMHO, NIPS are really just a new breed
of firewalls: they both sit in an identical position in a secure network
architecture.
>IDSs:
>
As above, there are both NIDS and HIDS in the IDS space.
>- Perform some kind of analysis of communications and/or system behavior to
>identify dangerous or potentially dangerous activity or access.
>
Ok.
>- Include both rule and signature-based analysis techniques.
>
Why? There are lots of IDSs (host and network) that use only one or the
other. Hybrids have an obvious advantage, but how does that exclude them
from the IDS space?
Or did you really mean "either" rather than "both"?
>- Include an alerting and reporting mechanism where administrators can
>analyze events and control the detection engine.
>
Yeah, they all do that.
>Firewalls:
>
>- Provide access control to a network or system.
>- Include rule-based system to prevent or allow access.
>
Ok.
>Essentially, an IPS is an IDS and a firewall mated together. An IPS can do
>both bulk access control and analyze for intrusions. Many technologies that
>claim to be IPS, are really just feature-rich firewalls or response-capable
>IDSs.
>
I quite agree with that.
>For example, some firewalls can actively respond to spoofed addresses or
>perform some application layer proxying and filtering. I still classify
>these as firewalls, but they are moving toward the IPS space. WatchGuard for
>example does an outstanding job with its SMTP, HTTP, and DNS proxies at
>filtering out a lot of nasty stuff.
>
How about we stop trying to classify them and just call them *all*
firewalls? Then we can just compare firewalls head to head on features,
performance, operational costs, security, etc.
>Some IDSs are trying to be more IPS-like as well. For example, some IDSs
>claim they are an IPS because they can write OPSEC rules to a Checkpoint
>firewall. In my opinion, a true IPS has its own protection measures. It
>shouldn't rely on another product to protect.
>
We could classify products that rely on a firewall to do prevention
things as firewall adjuncts. I'm sure the product vendors will like that
moniker :)
>Another misconception I am hearing recently is that behavior analysis is the
>only true IPS. Behavior analysis refers to monitoring system-level
>functions, such as kernel calls. I think behavior analysis is merely one
>variant of IPS. And its not always a good one, as it tends to scale poorly
>and can totally miss network-based attacks that, for all purposes, look like
>legitimate system behavior. (Actually, behavior analysis and network
>analysis are due for convergence, soon.)
>
That variant is *Host* IPS. Anyone who says that is the *only* IPS is on
crack.
So here's my classification heirarchy:
* network
o preventtion:
+ classic firewalls, e.g. Checkpoint, Raptor, Gauntlet
FWTK, etc.
+ newfangled NIPS like inline-SNORT
o detection:
+ ISS RealSecure, SNORT, etc.
* host
o prevention:
+ classic secure operating systems, e.g. Multics,
Trusted Solaris
+ hybrid secure operating systems, e.g. Immunix, Okena,
Entercept
o detection
+ Tripwire, Emerald (SRI research project) etc.
This scheme fits nicely into quadrants, but that doesn't render well
into ASCII.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 13:04:27 PDT