Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: IPS vs. Firewalls (why vs. ?)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 13:49:35 -0500

Gabriele Buratti wrote:
Dave Piscitello wrote:
 > If you take issue with this, consider
 > that some companies who bash proxies as being performance inhibitors
 > bolt SSL VPNs onto their firewalls.

Yep ! You still need proxies to do this SSL stuff as long as to hook an antivirus for example. Remember the old networking rule "switch when you can, route when you must" ? In this field could be read as "analize on-the-fly when you can, rewrite with a proxy when you must".

An interesting exercise for this list - possibly a new thread? - is "what security policies are best enforced by implementing "on-the-fly analysis" versus "what security policies are best enforced by proxy rewrites".

You have to use both approaches here: let's say our knowledgebase is the definition of http protocol as it should be. So, if you find malformed http (=non compliant) you drop it. What if you find some instant messaging traffic (you don't want in your network) that is http compliant ?

Apply recursion. Because different traffic is now multiplexed over a well-known port, in many cases it's not enough to only look for malformed http traffic. We have to whether the correctly formed traffic is allowed or disallowed by policy. What makes this more problematic here than at the link and IP levels is that we can't always rely on unique discriminators like Ethernet/SNAP TCP/UDP port, and IP PROTOcol.

So you again have to think about on-the-fly versus rewrite. You again have to think about the effects of a default deny all at the end of your allow policies (e.g., I allow protocols x, y, and z over http/80 and deny all non-compliant http as well as any protocol but x, y, and z).

Attachment: dave.vcf

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]