The main difference between and IDS and a firewall is the position of the system
to the data stream.
A firewall is a choke point with all traffic passing through it. A network IDS
is a monitor at side watching traffic but not modifying it (but maybe modifying
a router or firewall). The IDS is best to monitor the traffic that passes the
firewall to ensure that it hasn't bypassed the firewall in some manner. Since a
firewall has to inspect all of the traffic, it normally doesn't do the in depth
signature/anomaly detection of an IDS. But in many ways the should be
complementary and should be working together. I think Symantec's (Axent) Net
Prowler and Raptor can pass information to each other. We have Raptor and its
logs contain quite a bit of information about rejected packets. But it does not
have extensive analyis tools for looking at the log. I wrote some Perl to do it.
I think in the future both IDS and firewalls will be part of the routing
infrastructure with network IDS part of switches (as can happen now with
Catalyst 6000 series), IDS sensors as part of every TCP/IP stack and border
routers having full ALG firewall capabilities. It will work with a security-flow
policy so that QoS and security are part of the same engine.
This is similar to real world security. Your guard at the front desk who
checks every body in and out (firewall) monitors all your burgular alarms and
motion detectors. She also talks to the security guard wandering though all the
corridors and tests every door to see if the locks are still in place. She also
directs traffic around construction or accidents and investigates them. It is
considered part of the normal corporate security infrastructure
Gary Flynn <[EMAIL PROTECTED]> on 05/23/2001 08:35:14 AM
To: [EMAIL PROTECTED]
cc: (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject Re: Application Level and Stateful Inspection
:
Ron DuFresne wrote:
>
> How deeply do application proxies actually look into the packets? What
> degree do the majhor players go to to determine what is and is not
> acceptable? How many actually look deeper then the packet headers? How
> many look at more then the mere headers after the first packet or two?
And how much difference is there between an "application proxy" and
an IDS system? If the box has to deal with protocols at that level,
why not combine the functionality of the two?
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
