mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 13:49:35 -0500
Gabriele Buratti wrote:
Dave Piscitello wrote:
> If you take issue with this, consider
> that some companies who bash proxies as being performance inhibitors
> bolt SSL VPNs onto their firewalls.
Yep ! You still need proxies to do this SSL stuff as long as to hook an
antivirus for example.
Remember the old networking rule "switch when you can, route when you
must" ? In this field could be read as "analize on-the-fly when you can,
rewrite with a proxy when you must".
An interesting exercise for this list - possibly a new thread? - is
"what security policies are best enforced by implementing "on-the-fly
analysis" versus "what security policies are best enforced by proxy
You have to use both approaches here: let's say our knowledgebase is the
definition of http protocol as it should be. So, if you find malformed
http (=non compliant) you drop it. What if you find some instant
messaging traffic (you don't want in your network) that is http compliant ?
Apply recursion. Because different traffic is now multiplexed over a
well-known port, in many cases it's not enough to only look for
malformed http traffic. We have to whether the correctly formed traffic
is allowed or disallowed by policy. What makes this more problematic
here than at the link and IP levels is that we can't always rely on
unique discriminators like Ethernet/SNAP TCP/UDP port, and IP PROTOcol.
So you again have to think about on-the-fly versus rewrite. You again
have to think about the effects of a default deny all at the end of your
allow policies (e.g., I allow protocols x, y, and z over http/80 and
deny all non-compliant http as well as any protocol but x, y, and z).
Description: S/MIME Cryptographic Signature
Re: IPS vs. Firewalls Mark Teicher (Feb 03)