[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] Comparison of

Hi Dan, hi list,
answers inline:

Dan Widger wrote:

            I'd like to know how technical networking security
professionals would compare MS ISA / proxy firewall, with the
capabilities of an IPS, versus a web application firewall solution
(Kavado / Sanctum / Teros / NetContinuum).  If we wanted to go a level
deeper, we could throw a MS ISA firewall with ISS Server sensor into the

I don't know MS ISA very well, but from what i've heard it's quite useful in smaller environments with medium security.

In high security environments i would strongly recommend a full blown proxy firewall AND an IDS or IPS.

ISA might be really good for several purposes, but i still think that vendors that specialize in proxy and firewall systems are better. Especially when they have a E3/high certificate (european certificate) or better you can be sure that the design and implementation are solid.

In addition i would think about some kernel-level protection software, - something that protects you from buffer overflows - on webservers and an IPS or IDS. One drawback with IPS is that some false positives could cause denial of service, so you should be carefull with active responses like packet dropping and tcp-reset. Thorough tuning of policies is required.

            At stake is a web application, operating in a secure subnet
/ dmz.  If the objective to the "protect" all the servers in the secure
subnet, which device would be adequate, and which may be inadequate for
providing protection from internet attack against servers in the "secure

All of the three options could be adequate. This depends on what level of security and availability you need. There are also products available that specialize in securing web (http) applications. When using https you can terminate the ssl encryption an a proxy and put an IPS inline. Of course this is no end-to-end encryption but this way you have a chance to filter out malicious stuff before it hits your web servers.

            Does anyone have any quantitative experience comparing Web
Application Firewalls with IPS?

Both are part of your security toolbox.

            In my humble opinion, all of these solutions are variations
of a proxy solution.

No, an IPS is no proxy since a proxy is an application that does not simply forward packets as they ar, it provides a service to a client and requests that service from another server. A proxy can load a website and serve that site to a client in another format or with limited content (e.g. stripping active x or scripts off the code).

An IPS does not alter contents. If a content is malicious it triggers an alert and (if configured) drops the whole packet or even the connection.

Of course those things tend to intermix in some products, e.g. with Check Point Application Intelligence.

In my partially informed mind, the real question
is what application or protocol (PAM) intelligence is applied on top of
the proxy.

An IPS can use simple patterns (signatures) and some more sophisticated heuristics. Protocol analysis is somewhat different if you look at ISS. ISS uses signatures AND protocol analysis. With signatures you look for a pattern of a kown exploit. With protocol analysis you can detect when a known vulnerability is being exploited, like <IF protocol message xyz contains a string longer than 255 bytes THEN...>. This assumes that the analysis module kwows the structure of the protocol and even detects a protocol if it doesn't run on the default port.

The good thing with signatures is: You know exactly (by name) what attack hits your network. The good thing with protocol analysis is: You can detect new (zero day) exploits. Thus you might get two alerts for the same event: one for the signature-hit, one for the vulnerability-hit.

ISS folks: Did i get that right?

One resource made the analogy that IPS is "a mile wide, and
a foot deep", and web app firewall is "a foot wide, and a mile deep".
In this discussion, ISA is a general proxy with MS networking
intelligence, and would therefore be shallower in terms of overall "deep
packet inspection" capabilities.

I cannot confirm that. This depends on the product implementation, not on the general approach.

ISSForum mailing list

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.