On 30/03/06 08:30 -0800, Andrew Plato wrote: > > > If by firewall, you mean a proxy which validates protocols > > and is in default deny mode, then you are just wrong. > > > If I don't have a proxy for it, I don't let the traffic through works > just fine. > > > An IPS looks at stuff on the wire, decides what is bad, and blocks it. > > A real firewall looks at stuff on the wire, decides what is good, > > and allows it. A real firewall hooks into everything (servers, > > network equipment, desktops...). > > Proxy firewalls make up a small (and shrinking) percentage of the market > of firewalls. And having worked with over 500 different companies, my
And that market-share is relevant how? Just because everyone thinks the world is flat does not make it so. > experience is that proxy-based firewalls are rarely deployed in the > manner you describe. The default deny from unknown or unallowed > protocols is almost ALWAYS turned off because it breaks some important And that justifies an IPS? > businesses system that was poorly coded. Furthermore, a proxy validating Then the right thing to do is to fix the application. > protocols still cannot stop a lot of exploits. Plenty of exploits live > quite comfortably inside the RFC-specs for a protocol. And in this case, > your proxy-firewall would do nothing to stop them. > Actually, the proxy would know what valid traffic to expect. Regular expressions are nice if used properly. Plug in a reverse proxy in front of your webserver and block queries with SQL(ish) content embedded. If you think that you can run an Internet facing system without knowing what is on the network, you are just plain wrong. > Most firewalls have no insight into application-layer content. And most ITYM packet filters and not firewalls. > exploits are application-layer exploits. This isn't just some insane > idea, it's a fact. You can ignore this and tell yourself 10000 times you > don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls > are not sufficient protection for most organizations. Other than networking stack issues, everything else is an application layer exploit. Not having a service installed, not running it, staying patched, using proxies correctly, using well coded software, watching your logs..... > > > Once you have a firewall in place, you need a system which > > analyses logs and traffic which gets through your firewall. > > Which is why you sandwich your firewall with a good IPS, so you can see > what gets through and block it - if necessary. > IDS yes, IPS no. Oh, and good backups. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
