Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: IPS vs. Firewalls

Re: IPS vs. Firewalls

From: Kevin <kkadow_at_gmail.com>
Date: Thu, 2 Feb 2006 12:11:50 -0600

Marcus J. Ranum wrote:
] I particularly got a chuckle out of Intruvert's (now NAI)
] claim that they protect against encrypted attacks. I needed some yuks
] to lighten up my morning!!

Actually, Intruvert, Blue Coat, and a number of other vendors now have
products which do MITM for SSL connections, assuming you have enough
control over one endpoint to force it to accept your bogus root certificate.

Scary stuff.

> On Mon, Dec 26, 2005 at 04:39:51PM +0900, Phil Albacore wrote:
> > Some of the managers at my company are pushing to
> > get rid of our firewall in exchange for IPS devices. They've heard that IPS
> > sensors can be used to block traffic, so they've got it in their heads
> > that we don't need a firewall anymore.

Blame for this lies squarely at the feet of "the Jericho project".
Give IPS another ten years of development, and they might even be right.

On 2/2/06, ArkanoiD <ark_at_eltex.net> wrote:
> IPS can be (and are being) successfully evaded by fragmentation attacks.
> Even worse, signature-based approach is flawed anyways. Internet protocol
> security relies on managing data flow, not on trying to find "attacks" in it.
> There is zillion ways to do bad things and no IPS can handle it.

One of the things I like about using a full-reassembly app proxy is that the
proxy firewall gives the IPS a defragmented packet stream to work with :)

> (I'd even say that anyone who seriously claim that IPS can replace firewall
> is stupid moron with lack of understanding even security basics, and if
> those people are allowed to make technical decisions your company has damn
> big management problems)

An IPS isn't better than a correctly configured firewall enforcing an
effective and strict policy. I might argue that an IPS is be better
than a ineffective firewall configured with a dangerously weak (e.g.
'default permit') policy, but that is more an argument in favor of strong
firewall policies than an argument for replacing firewalls with IPS.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos