[Snort-users] Re: [Snort-devel] IDS vs IPS

Gordon Cunningham gacunningham at ...163...
Thu Aug 28 07:17:14 EDT 2003

Yes, we *ARE* seeing convergence in products like BlackIce (which I do
consider a firewall+IDS - but not a router - I used to use it as my home DSL
firewall with a dual-NIC machine and it worked very well during the height
of Code Red),  and the Cisco NIDS system's ability to interact with Cisco
switches, routers and firewalls to provide reactive hardening upon threat
detection.  The problem, IMO, is that sufficient granularity has been
lacking, possibly due to traffic levels and speed of detection issues to say
nothing of the rulebase size, and the nature of networks to often have many
types of inappropriate traffic appear as legitimate traffic or vice versa.
And now we are adding a 4th dimension - time - how do you differentiate not
only by host, protocol, port and payload, but now differentiation changes
over time?

While some firewall vendors will have a tough time making the leap from
stateful inspection, those with application/proxy level (IP stack) firewalls
(remember Raptor?) might be more comfortable dealing with packet payloads
and traffic analysis, IMO.  IPS is just another spin on this convergence,
attempting to make it "one box" or one methodology, but either way it is the
next step - an integration.

But it will be the specialists teaming with the big boys that pull this
off - unless someone really misses the mark, that's usually how the
evolution (not revolution) in IT usually goes.

- Gordon

"The software said it requires Windows 98 or better, so I installed

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]  On Behalf Of Bob Walder
Sent:	Thursday, August 28, 2003 5:15 AM
To:	'Jason'; 'Frank Knobbe'
Cc:	bwalder at ...1926...; 'Mark Teicher'; 'Jeff Nathan'; Vkmobile at ...661...;
snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject:	RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

One important distinction

Firewalls are about policy enforcement - IDS and IPS are about detection
(as of THIS moment in time)

I still see the IPS as an evolution of the IDS and not the firewall. In
my opinion, the firewall is itself gonna have to evolve pretty damn
quickly to stop the IPS going the whole hog and taking over its job too.

YES - the two technologies have similar aims and will undoubtedly
converge. BUT, who do you see winning the race? In my opinion, the guys
who already have the flashy hardware and solid IDS/IPS technology will
have an easier time of it than the firewall vendors (i.e. the likes of
Tippingpoint and Intruvert/NAI).

By the way - why not ask NetScreen how hard it is to integrate IPS and
firewall technology?! They already had a firewall appliance - if it is
really that easy to converge these technologies (or if there really
isn't a difference between them in the first place) then why have we not
seen their IPS technology already fully integrated into their fancy
firewall platform?

Cisco is well placed to do this job too - it has the big switches which
could take a flashy new IPS/IDS/firewall blade, and the in-house
expertise with both firewall and IDS technologies. AND it understands
how important it is for this stuff to be rock solid and scalable. Both
Intruvert and Tippingpoint could probably also make a decent fist of it.

But... It ain't easy! It will be a while before these things do
converge, and until then I foresee a number of religious arguments over
which technology is best, which technology is pure marketing hype, which
technology came first, blah, blah, blah (i.e. a bit like this thread...

Oh... And no way am I advocating that any one of these technologies can
displace the others right now - they all have their place. On my network
I have two firewalls at the perimeter for the policy enforcement stuff
(i.e. that's where I say "allow HTTP to this server on my DMZ, don't
allow Telnet to anything, allow FTP to that server on my DMZ, and so
on...). Behind those I have an IPS - also at the perimeter - to catch
the bad stuff that the firewall lets through (i.e. the firewall says let
through HTTP traffic, but there is a lot of nasty stuff that could ride
on the back of that). And finally, I have IDS systems on the DMZ and
internal networks just so I can mop up anything that might get through
owing to the fact I don't want my IPS to block absolutely everything
('cos it's just not ready for that yet!)

I would LOVE to have just the one box for this.... But it's just not



>> -----Original Message-----
>> From: Jason [mailto:security at ...5028...]
>> Sent: 28 August 2003 05:17
>> To: Frank Knobbe
>> Cc: bwalder at ...1926...; 'Mark Teicher'; 'Jeff Nathan';
>> Vkmobile at ...661...; snort-devel at lists.sourceforge.net;
>> snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
>> Thanks, I think the matrix shows fairly well that the _new IPS_ is a
>> natural evolution of the existing firewall.
>> This is important to point out because there are existing
>> investments in
>> firewalls and these firewalls are rapidly closing the gap
>> where needed.
>> I know that CP has been moving in this direction for a while. It has
>> also been my experience that they have been moving at an appropriate
>> pace and the capabilities have been there when I've needed them.
>> One final statement. You do not need the firewall to log
>> content if you
>> have an IDS that you can trust will not have a direct impact on the
>> business should it be too critical of the data.
>> You can also have confidence in your firewall because your
>> IDS verifies
>> what you told the firewall to do and covers your arse when you let
>> something by because of business requirements or a human error.
>> Frank Knobbe wrote:
>> > On Wed, 2003-08-27 at 18:36, Jason wrote:
>> >
>> >>Bob Walder wrote:
>> >>
>> >>>My 0.02 worth is that a Network IPS (NIPS) is a device with two
>> >>>interfaces that operates in-line to detect suspicious traffic and
>> >>>INSTANTLY discard the offending packet and the rest of
>> the suspicious
>> >>>flow.
>> >>
>> >>What we have here is a definition of an IPS that matches pretty
>> >>closely what firewalls have been able to do for some time.
>> >
>> >
>> >
>> > Not quite. There are difference in the way firewalls and intrusion
>> > detection systems analyze data. For example, I have not seen a
>> > firewall that can identify a CodeRed attempt by name for example.
>> > Yeah, you can block HTTP methods and put limiters on URL's
>> etc (you
>> > mentioned CP as an example which can do that with HTTP
>> content stuff).
>> > But I have not come across a firewall with a 'signature
>> set' like IDS'
>> > have them......yet.
>> >
>> > It is true that most firewalls are under-utilized. However, an IPS
>> > (being based on an IDS) has capabilities beyond a firewall. Policy
>> > violations (or network flow anomalies) can be detected by
>> firewalls
>> > and cause some sort of reaction/enforcement (CP's SAM is
>> one example).
>> > However, firewalls don't have statistical anomaly
>> detection like some
>> > IDS' do.
>> >
>> > Let's draft a matrix of capabilities:
>> >
>> > Metric      |  Firewall      |  IDS           |  IPS
>> > -----------------------------------------------------------
>> > Signature   | Limited packet | Extensive      | See IDS
>> > Analysis    | inspection     | signature sets |
>> >             | due to lack of | allow wide     |
>> >             | rule set defin.| pattern match  |
>> > -----------------------------------------------------------
>> > Protocol    | Mostly present | Present        | Present
>> > validation  |                |                |
>> > -----------------------------------------------------------
>> > Traffic flow| Present, that's| Present        | Present
>> > Anomaly Det.| what they do   |                | Present
>> > -----------------------------------------------------------
>> > Statisitcal | Absent         | Present        | Absent (???)
>> > Anomaly Det.|                |                | (as of today)
>> > -----------------------------------------------------------
>> > Packet Log  | Logging mostly | capable of     | See IDS
>> >             | high level     | logging content|
>> > -----------------------------------------------------------
>> > Protocol    | Present        | Absent         | Present
>> > normalizat  |                |                |
>> > ion         |                |                |
>> > ===========================================================
>> > Activity    | Active         | Mostly Passive | Active
>> >
>> >
>> > If someone wants to take this further, feel free. But as
>> you can see,
>> > IPS and firewalls are not quite alike (but neither are IPS
>> and IDS! :)
>> >
>> > Regards,
>> > Frank
>> >

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list