The problem with your comments, Crispin, is that you consider basic packet
inspection to be security analysis. I disagree. Most firewalls (Checkpoint,
pix, netscreen, etc.) are packet filters. They look at communication
information and apply access control lists based on some rules.
This is no where near synonymous with an IPS which looks beyond the packet
and analyzes the entire communication stream. Proxy-based firewalls
(Sidewinder/Gauntlet and some variants) go part of the way there. They do
application-layer rules. But the classic packet filter firewalls do not have
that kind of ability.
I see firewalls as essentially an access control point. To use an airport
security analogy: firewalls control who gets on the plane and that's all.
They don't look to see if the person is carrying a bomb. And IPS does both
access control and looks in the person's luggage to see if there is any
bombs in there.
Consider the extremely basic problem of things like Code Red. Firewalls
couldn't stop code red at all, unless port 80 was blocked. But since that
would have killed the web sites of many companies - that wasn't really an
option. Therefore, the firewall did nothing to prevent code red. But a
host-IPS or network-IPS could have seen code red in the stream and dropped
the offending packets and kept web access open.
> How about we stop trying to classify them and just call them *all*
> firewalls? Then we can just compare firewalls head to head on
> features, performance, operational costs, security, etc.
Then we're comparing CheckPoints to IntruVerts, Netscreens to RealSecure
Guards - and that is a crummy comparison because they really are not the
same types of products. An IntruVert is not anywhere near the same as a
CheckPoint. A comparison between the two would be misleading. It would make
CheckPoint look lame and Intruvert look outlandishly priced.
As for your quadrants. You define anything that does merely access control
as prevention. I disagree. Access control does not mean bad stuff can't get
in. Merely blocking some communications at the perimeter does not make a
network secure. I would redefine your quadrants as hexants (is that a
word):
* Network
o Access control:
+ classic firewalls: Checkpoint, Netscreen,
PIX, etc.
+ Router/VLAN ACLs
o Prevention:
+ NIPS: inline SNORT, IntruVert, ISS Guard,
TopLayer Attack Mitigator, etc.
+ Application firewalls: Sidewinder, WatchGuard (sort of)
o Detection:
+ IDS: RealSecure, Snort/Sourcefire, ManHunt, etc.
* Host
o Access control:
+ ACLs, token authentication, locks, passwords, etc.
o Prevention:
+ Behavior HIPS: Okena, Entercept
+ Signature HIPS: RS Desktop/Server, Sygate
+ Secure OS: Immunix, a Windows box with no power ;-), etc.
o Detection:
+ Integrity monitors: Tripwire, etc.
And I would say best practices would be to try to have something at every
level.
___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
Enterprise Security &
Infrastructure Solutions
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
> -----Original Message-----
> From: Crispin Cowan [mailto:crispin@private]
> Sent: Tuesday, June 24, 2003 12:36 PM
> To: aplato@private
> Cc: 'Justin Kurynny'; crime@private
> Subject: Re: CRIME IDS is dead says Gartner
>
>
> Andrew Plato wrote:
>
> >I have actually been working on a white paper that aims to
> define the
> >difference between IPS, IDS, and firewall. The paper is obviously
> >biased, since I am basing it on my experience and expertise, but
> >essentially my core definitions are:
> >
> A little feedback :)
>
> >IPSs:
> >
> There are both *host* and *network* IPS's, and they are different
> beasties. What you describe here is mostly NIPS.
>
> >- Perform some kind of analysis of communications and/or system
> >behavior to identify dangerous or potentially dangerous activity or
> >access.
> >
> Just like firewalls.
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 13:46:35 PDT