Hi all, surfing / caching proxies are good for blocking URLs or bad active content from websites, but I assume the MS ISA can't do that very well.
SSL-proxies are using man in the middle attacks for decrypting and monitoring external encrypted traffic, internal SSL-traffic can be done by host IDS or IDS Balancer. The *content* of web servers cannot be monitored by IDS / IPS, that's why http reverse proxies are used, for example if a client tries to manipulate a price of a web shop or something. In general there is no clear delimitation between this security technologies, the limits are fluently. IDS / IPS can cover some parts of the security done by surfing proxies and the http reverse proxies also can protect the web server application. So, it depends on. Best regards, Stephan Luedorf -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 8:44 PM To: Dan Widger Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Comparison of Hi Dan, hi list, answers inline: Dan Widger wrote: > I'd like to know how technical networking security > professionals would compare MS ISA / proxy firewall, with the > capabilities of an IPS, versus a web application firewall solution > (Kavado / Sanctum / Teros / NetContinuum). If we wanted to go a level > deeper, we could throw a MS ISA firewall with ISS Server sensor into > the mix. I don't know MS ISA very well, but from what i've heard it's quite useful in smaller environments with medium security. In high security environments i would strongly recommend a full blown proxy firewall AND an IDS or IPS. ISA might be really good for several purposes, but i still think that vendors that specialize in proxy and firewall systems are better. Especially when they have a E3/high certificate (european certificate) or better you can be sure that the design and implementation are solid. In addition i would think about some kernel-level protection software, - something that protects you from buffer overflows - on webservers and an IPS or IDS. One drawback with IPS is that some false positives could cause denial of service, so you should be carefull with active responses like packet dropping and tcp-reset. Thorough tuning of policies is required. > At stake is a web application, operating in a secure > subnet / dmz. If the objective to the "protect" all the servers in > the secure subnet, which device would be adequate, and which may be > inadequate for providing protection from internet attack against > servers in the "secure subnet"? > All of the three options could be adequate. This depends on what level of security and availability you need. There are also products available that specialize in securing web (http) applications. When using https you can terminate the ssl encryption an a proxy and put an IPS inline. Of course this is no end-to-end encryption but this way you have a chance to filter out malicious stuff before it hits your web servers. > > Does anyone have any quantitative experience comparing Web > Application Firewalls with IPS? > Both are part of your security toolbox. > In my humble opinion, all of these solutions are variations > of a proxy solution. No, an IPS is no proxy since a proxy is an application that does not simply forward packets as they ar, it provides a service to a client and requests that service from another server. A proxy can load a website and serve that site to a client in another format or with limited content (e.g. stripping active x or scripts off the code). An IPS does not alter contents. If a content is malicious it triggers an alert and (if configured) drops the whole packet or even the connection. Of course those things tend to intermix in some products, e.g. with Check Point Application Intelligence. > In my partially informed mind, the real question > is what application or protocol (PAM) intelligence is applied on top of > the proxy. An IPS can use simple patterns (signatures) and some more sophisticated heuristics. Protocol analysis is somewhat different if you look at ISS. ISS uses signatures AND protocol analysis. With signatures you look for a pattern of a kown exploit. With protocol analysis you can detect when a known vulnerability is being exploited, like <IF protocol message xyz contains a string longer than 255 bytes THEN...>. This assumes that the analysis module kwows the structure of the protocol and even detects a protocol if it doesn't run on the default port. The good thing with signatures is: You know exactly (by name) what attack hits your network. The good thing with protocol analysis is: You can detect new (zero day) exploits. Thus you might get two alerts for the same event: one for the signature-hit, one for the vulnerability-hit. ISS folks: Did i get that right? ;) > One resource made the analogy that IPS is "a mile wide, and > a foot deep", and web app firewall is "a foot wide, and a mile deep". > In this discussion, ISA is a general proxy with MS networking > intelligence, and would therefore be shallower in terms of overall "deep > packet inspection" capabilities. > I cannot confirm that. This depends on the product implementation, not on the general approach. HTH, Detmar _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
