focus-ids October 2008 archive
Main Archive Page > Month Archives  > focus-ids archives
focus-ids: Re: IDS vs Application Proxy Firewall

Re: IDS vs Application Proxy Firewall

From: Stefano Zanero <s.zanero_at_nospam>
Date: Wed Oct 22 2008 - 17:08:14 GMT
To: "\"Zow\" Terry Brugger" <zow@acm.org>


"Zow" Terry Brugger wrote:

> Unless it is a transparent application proxy,

Given. Still, it works at the application layer, otherwise it is a cunningly-renamed stateful firewall which performs deep inspection.

> Unless it is an IPS, in which case

In which case it is not an IDS, and thus not in scope with the original question :)

> The difference I'd see is that network IDS/IPS devices typically look
> for specific signatures (sequences of bytes, regular expressions,
> certain flags set in the headers, etc) on a session (TCP, UDP, ICMP)
> or network (IP) level packet.

Counterexamples: Arbor, Lancope

> Most can do some degree of session
> reassembily, but only in so far as to catch signatures which are
> divided across multiple packets.

I'm pretty sure that Martin Roesch, if he reads, will have something to say here :) -- Cordiali saluti, Ing. Stefano Zanero, PhD CTO & Co-Founder Secure Network S.r.l. Via Venezia, 23 - 20099 Sesto San Giovanni (MI) Phone: +39 02.24126788 Fax: +39 02.24126789 email: s.zanero@securenetwork.it web: www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------