Hi Andreas,
To respond to your email in reverse order.... packets are not
necessarily _routed_ through these devices. In fact, I would say that
in most cases, packets are _bridged_ across them. Most of these devices
bridge the traffic so that you don't have to reconfigure the network to
put one in. You simply stick it inline (no IP addresses on the inline
interfaces) and it bridges the traffic while sniping/blocking "bad" traffic.
As to the differences between the 3 terms you mention, let's first make
the assumption that IPS refers to an inline IPS. I have seen other
vendors claim IPS capabilities out-of-band... usually via TCP resets,
ICMP messages, manipulation of some other inline device, etc.
Getting that out of the way, I'm not sure what the difference is between
an inline IPS device and an Application Layer Firewall. These seem to
be vendor terms as far as I can tell. I'll give you an example: Some
vendor will spout the benefits of their "application layer firewall" to
a prospect, and then we'll be invited in, and we'll talk about our IPS
product and how it works, and the prospect eventually says something
like, "so you can you act as an application layer firewall?". It
reminds me of another example. We'll talk about inspecting packets and
re-assembling packets and fragments to watch for some HTTP cross-site
scripting attack (as an example). Then, later on, the prospect will
ask, "so do you do deep packet inspection?" Some vendor created a
simple term for something complex, and people use the terms without
really understanding them. All they know is that they have to have it.
Actually, it reminds me of those eBay commercials for "it". :)
Inline IDS is different story. Inline IDS could simply refer to an IDS
system that gets it's traffic by sitting inline. This does not
necessarily mean that it is sniping/blocking "bad" traffic. For
customers who still want "IDS" instead of "IPS" this can be a good
solution for them.... by putting an IDS inline, you don't have to setup
a SPAN port (which can be too easily undone by somebody else) or
purchase a network tap (which can get pretty pricy depending on what
you're tapping and how many you need). NFR's Smart Sensors offer this
as an option, so instead of being an IPS, it can simply be put inline in
a non-blocking mode. A lot of customers start in this mode and then,
after baselining the network, they turn on the IPS features, moving from
"inline IDS" mode to "IPS" mode.
I'm sure there will be people who disagree with me... but that's my
story and I'm sticking to it.
thanks,
dave
Andreas Hess wrote:
Hi,
I wonder if there are any conceptual differences between:
- inline IDSs,
- IPS and
- Application Layer Firewalls
Or are this just three terms that mean the same?
To my understanding all three concepts do access control up to the
application layer and in addition, they all have a certain impact on
the network performance as all packets are routed through them.
Regards
Andreas
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
David W. Goodrum, CEH
Federal Sales Manager
(nfr)(security)
http://www.nfr.com
(M)703.731.3765
(O)240.747.3425
(F)240.632.0200
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
