[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISSForum] Comparison of
Hi Dan, hi list,
Dan Widger wrote:
I'd like to know how technical networking security
professionals would compare MS ISA / proxy firewall, with the
capabilities of an IPS, versus a web application firewall solution
(Kavado / Sanctum / Teros / NetContinuum). If we wanted to go a level
deeper, we could throw a MS ISA firewall with ISS Server sensor into the
I don't know MS ISA very well, but from what i've heard it's quite
useful in smaller environments with medium security.
In high security environments i would strongly recommend a full blown
proxy firewall AND an IDS or IPS.
ISA might be really good for several purposes, but i still think that
vendors that specialize in proxy and firewall systems are better.
Especially when they have a E3/high certificate (european certificate)
or better you can be sure that the design and implementation are solid.
In addition i would think about some kernel-level protection software, -
something that protects you from buffer overflows - on webservers and an
IPS or IDS.
One drawback with IPS is that some false positives could cause denial of
service, so you should be carefull with active responses like packet
dropping and tcp-reset. Thorough tuning of policies is required.
At stake is a web application, operating in a secure subnet
/ dmz. If the objective to the "protect" all the servers in the secure
subnet, which device would be adequate, and which may be inadequate for
providing protection from internet attack against servers in the "secure
All of the three options could be adequate. This depends on what level
of security and availability you need. There are also products available
that specialize in securing web (http) applications.
When using https you can terminate the ssl encryption an a proxy and put
an IPS inline. Of course this is no end-to-end encryption but this way
you have a chance to filter out malicious stuff before it hits your web
Does anyone have any quantitative experience comparing Web
Application Firewalls with IPS?
Both are part of your security toolbox.
In my humble opinion, all of these solutions are variations
of a proxy solution.
No, an IPS is no proxy since a proxy is an application that does not
simply forward packets as they ar, it provides a service to a client and
requests that service from another server.
A proxy can load a website and serve that site to a client in another
format or with limited content (e.g. stripping active x or scripts off
An IPS does not alter contents. If a content is malicious it triggers an
alert and (if configured) drops the whole packet or even the connection.
Of course those things tend to intermix in some products, e.g. with
Check Point Application Intelligence.
In my partially informed mind, the real question
is what application or protocol (PAM) intelligence is applied on top of
An IPS can use simple patterns (signatures) and some more sophisticated
heuristics. Protocol analysis is somewhat different if you look at ISS.
ISS uses signatures AND protocol analysis. With signatures you look for
a pattern of a kown exploit. With protocol analysis you can detect when
a known vulnerability is being exploited, like <IF protocol message xyz
contains a string longer than 255 bytes THEN...>. This assumes that the
analysis module kwows the structure of the protocol and even detects a
protocol if it doesn't run on the default port.
The good thing with signatures is: You know exactly (by name) what
attack hits your network.
The good thing with protocol analysis is: You can detect new (zero day)
Thus you might get two alerts for the same event: one for the
signature-hit, one for the vulnerability-hit.
ISS folks: Did i get that right?
One resource made the analogy that IPS is "a mile wide, and
a foot deep", and web app firewall is "a foot wide, and a mile deep".
In this discussion, ISA is a general proxy with MS networking
intelligence, and would therefore be shallower in terms of overall "deep
packet inspection" capabilities.
I cannot confirm that. This depends on the product implementation, not
on the general approach.
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.