mailing list archives
RE: IPS vs. Firewalls
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 3 Feb 2006 10:34:49 -0500
Subject: Re: [fw-wiz] IPS vs. Firewalls
] I particularly got a chuckle out of Intruvert's (now NAI) ] claim
that they protect
against encrypted attacks. I needed some yuks ] to lighten up my
...now McAfee* (has been for a while). They sold NAI shortly after the
InvruVert purchase. And, if by protect you mean 'drop packets and send
spoofed resets' and by 'encrypted' you mean 'known protocols over SSL where
the private key is provided to the sensor', then they can. But that doesn't
sound anywhere near as impressive as 'protects against encrypted attacks' in
the product cut sheets.
Actually, Intruvert, Blue Coat, and a number of other vendors now have
products which do
MITM for SSL connections, assuming you have enough control over one
endpoint to force it to
accept your bogus root certificate.
Actually, the IntruShield products don't do (or at least, didn't do) MITM.
The sensor gets a copy of the private key and does parallel decryption of
the stream. So it's essentially only effective in inbound scenarios.
Outbound SSL connections, reverse tunnels, SSH, IPSec, etc. are all blind
spots, same as any other NIDS.
There's also a performance hit associated with decrypting SSL in parallel.
I've never tried it, but I would be surprised if there were possible to beat
the response feature by overloading the SSL ASIC through volume. For
high-volume SSL traffic, I personally recommend terminating SSL on a
reverse-proxy / load-balancer and putting your IDS between that point and
the actual server. It just scales better.
* Disclaimer: I used to work for a McAfee VAR and have been indoctrinated in
the ways of IntruShield through vendor/channel training. But I installed my
share of IntruShield systems, too. That is to say, I drank the Kool-Aid,
but it wasn't bad.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com