Firewall Wizards: Re: IPS vs. Firewalls (why vs. ?)

[Dave Piscitello <dave () corecom com>]

Gabriele Buratti wrote:
> Dave Piscitello wrote:
>  > If you take issue with this, consider
>  > that some companies who bash proxies as being performance inhibitors
>  > bolt SSL VPNs onto their firewalls.
>
> Yep ! You still need proxies to do this SSL stuff as long as to hook an 
> antivirus for example.
> Remember the old networking rule "switch when you can, route when you 
> must" ? In this field could be read as "analize on-the-fly when you can, 
> rewrite with a proxy when you must".
An interesting exercise for this list - possibly a new thread? - is 
"what security policies are best enforced by implementing "on-the-fly 
analysis" versus "what security policies are best enforced by proxy 
rewrites".

> You have to use both approaches here: let's say our knowledgebase is the 
> definition of http protocol as it should be. So, if you find malformed 
> http (=non compliant) you drop it. What if you find some instant 
> messaging traffic (you don't want in your network) that is http compliant ?
Apply recursion. Because different traffic is now multiplexed over a 
well-known port, in many cases it's not enough to only look for 
malformed http traffic. We have to whether the correctly formed traffic 
 is allowed or disallowed by policy. What makes this more problematic 
here than at the link and IP levels is that we can't always rely on 
unique discriminators like Ethernet/SNAP TCP/UDP port, and IP PROTOcol.
So you again have to think about on-the-fly versus rewrite. You again 
have to think about the effects of a default deny all at the end of your 
 allow policies (e.g., I allow protocols x, y, and z over http/80 and 
deny all non-compliant http as well as any protocol but x, y, and z).

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature