| Main Archive Page > Month Archives > focus-ids archives |
Re: IDS vs Application Proxy Firewall
From: Stefano Zanero <s.zanero_at_nospam>Date: Wed Oct 22 2008 - 17:08:14 GMT
To: "\"Zow\" Terry Brugger" <zow@acm.org>
"Zow" Terry Brugger wrote:
> Unless it is a transparent application proxy,
Given. Still, it works at the application layer, otherwise it is a cunningly-renamed stateful firewall which performs deep inspection.
> Unless it is an IPS, in which case
In which case it is not an IDS, and thus not in scope with the original question :)
> The difference I'd see is that network IDS/IPS devices typically look
> for specific signatures (sequences of bytes, regular expressions,
> certain flags set in the headers, etc) on a session (TCP, UDP, ICMP)
> or network (IP) level packet.
Counterexamples: Arbor, Lancope
> Most can do some degree of session
> reassembily, but only in so far as to catch signatures which are
> divided across multiple packets.
I'm pretty sure that Martin Roesch, if he reads, will have something to say here :) -- Cordiali saluti, Ing. Stefano Zanero, PhD CTO & Co-Founder Secure Network S.r.l. Via Venezia, 23 - 20099 Sesto San Giovanni (MI) Phone: +39 02.24126788 Fax: +39 02.24126789 email: s.zanero@securenetwork.it web: www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------