I am a simpleton. Here is my 2cent view of the world.
IDS - A passive-only monitoring solution (host or network). Requires a
highly complex interpretation or filtering mechanism(s)
IPS - An active monitoring/interdiction solution (host or network).
Requires upkeep equivalent to the amount of change in the protected
computing environment
Firewall - A barrier which controls the flow of specified types of traffic
(inbound/outbound). Crude but effective.
Analogy:
Vehicle traps at ingress/egress points (Firewall) will restrict access to a
neighborhood park to foot traffic only. Not much upkeep is required and the
barrier will do well to keep vehicles out. A video camera at ingress/egress
points provides an entirely new aspect. New threats (unruly skateboarder
thugs in clown outfits) and undesired activities can be identified.
However, the camera (aside from being a deterrent) provides no actual
intervention service. Additionally, the camera must be well placed and
regularly monitored to provide benefits. A poorly placed camera or one
which is not monitored is as worthless as a Big-Wheel, with a flat tire. An
IPS is like a community security officer (think policeman, guard, etc.).
They can monitor and interdict undesired activity (nightstick across bozo's
nose). They are resource intensive but are capable of identifying more
undesirable activity than the Vehicle traps and can actively interdict
situations where a Camera alone fails.
IDS is not dead. IPS is not dead. Firewalls are not dead. Nightsticks are
not dead. These are all tools. There are many ways to use them in a cost
effective manner to provide security, given different situations.
Matthew Rosenquist
-----Original Message-----
From: Andrew Plato [mailto:aplato@private]
Sent: Tuesday, June 24, 2003 1:30 PM
To: 'Crispin Cowan'; crime@private
Subject: RE: CRIME IDS is dead says Gartner
The problem with your comments, Crispin, is that you consider basic packet
inspection to be security analysis. I disagree. Most firewalls (Checkpoint,
pix, netscreen, etc.) are packet filters. They look at communication
information and apply access control lists based on some rules.
This is no where near synonymous with an IPS which looks beyond the packet
and analyzes the entire communication stream. Proxy-based firewalls
(Sidewinder/Gauntlet and some variants) go part of the way there. They do
application-layer rules. But the classic packet filter firewalls do not have
that kind of ability.
I see firewalls as essentially an access control point. To use an airport
security analogy: firewalls control who gets on the plane and that's all.
They don't look to see if the person is carrying a bomb. And IPS does both
access control and looks in the person's luggage to see if there is any
bombs in there.
Consider the extremely basic problem of things like Code Red. Firewalls
couldn't stop code red at all, unless port 80 was blocked. But since that
would have killed the web sites of many companies - that wasn't really an
option. Therefore, the firewall did nothing to prevent code red. But a
host-IPS or network-IPS could have seen code red in the stream and dropped
the offending packets and kept web access open.
> How about we stop trying to classify them and just call them *all*
> firewalls? Then we can just compare firewalls head to head on
> features, performance, operational costs, security, etc.
Then we're comparing CheckPoints to IntruVerts, Netscreens to RealSecure
Guards - and that is a crummy comparison because they really are not the
same types of products. An IntruVert is not anywhere near the same as a
CheckPoint. A comparison between the two would be misleading. It would make
CheckPoint look lame and Intruvert look outlandishly priced.
As for your quadrants. You define anything that does merely access control
as prevention. I disagree. Access control does not mean bad stuff can't get
in. Merely blocking some communications at the perimeter does not make a
network secure. I would redefine your quadrants as hexants (is that a
word):
* Network
o Access control:
+ classic firewalls: Checkpoint, Netscreen,
PIX, etc.
+ Router/VLAN ACLs
o Prevention:
+ NIPS: inline SNORT, IntruVert, ISS Guard,
TopLayer Attack Mitigator, etc.
+ Application firewalls: Sidewinder, WatchGuard (sort of)
o Detection:
+ IDS: RealSecure, Snort/Sourcefire, ManHunt, etc.
* Host
o Access control:
+ ACLs, token authentication, locks, passwords, etc.
o Prevention:
+ Behavior HIPS: Okena, Entercept
+ Signature HIPS: RS Desktop/Server, Sygate
+ Secure OS: Immunix, a Windows box with no power ;-), etc.
o Detection:
+ Integrity monitors: Tripwire, etc.
And I would say best practices would be to try to have something at every
level.
___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
Enterprise Security &
Infrastructure Solutions
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
> -----Original Message-----
> From: Crispin Cowan [mailto:crispin@private]
> Sent: Tuesday, June 24, 2003 12:36 PM
> To: aplato@private
> Cc: 'Justin Kurynny'; crime@private
> Subject: Re: CRIME IDS is dead says Gartner
>
>
> Andrew Plato wrote:
>
> >I have actually been working on a white paper that aims to
> define the
> >difference between IPS, IDS, and firewall. The paper is obviously
> >biased, since I am basing it on my experience and expertise, but
> >essentially my core definitions are:
> >
> A little feedback :)
>
> >IPSs:
> >
> There are both *host* and *network* IPS's, and they are different
> beasties. What you describe here is mostly NIPS.
>
> >- Perform some kind of analysis of communications and/or system
> >behavior to identify dangerous or potentially dangerous activity or
> >access.
> >
> Just like firewalls.
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 15:15:42 PDT