collision course

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[me]

given that a netscreen idp can (just about) be used as a firewall
(since it can _also_ block on protocols and src / dest)

and given the latest version of firewall-1 (ng ai [aka fp4]) can now
dig into the protocols (eg verifying that ssh is using protocol 2 to
the endpoint,  also eg looking at netbios requests \\server\share)

...

they may be on a collsion course.

firewalls moving up the stack,  intrusion prevention moving down the
stack.

thoughts anyone?

--
me

[mirom]

there will be some news from NS about this too  in near future. Things are getting interesting

M.

[dkillion]

Presently the IDP really isn't appropriate for managing your layer 3/4 security (Specifing From/To IP's and port permissions).  It's also a 'fail-open' system which is inappropriate for a firewall.

But Mirom says, things are changing - technology moves forward, things get interesting...

-Dave

[Anonymous]

[mirom]

Dave is right

[arc]

Actually, I was informed that the IDP is a "fail closed" device when placed in-line, but that this was configurable... just as it is always an option to just place the IDP unit in "sniffer" mode off of a mirror port.

The original point is a good one, though, that I think all the security vendors are forseeing. I think that is what is driving the marketing lingo to transition to the phrase "deep packet inspection". As you say firewalls are needing to understand application layer protocols in order to deal properly with the dynamic port allocation schemes involved in things like SIP and H.323, while IDS/IPS products are realizing that they need to come inline and drop actual traffic like a firewall to be truly useful to customers.

The problem, though, is that IPS products still have a way to go when it comes to "single-point-of-failure" concerns like: 1) reliability, 2) fail-over, 3) accuracy, 4) performance (bandwidth/latency/session-ramping, etc.) Meanwhile, firewalls have a long way to go to be able to really deal effectively with a wide variety of application protocols. NetScreen and the others seem aware that they have their work (and opportunity) in front of them though... and I think that NetScreen is one of the ones really beginning to grasp the full extent of it.

[gr33ndata]

I think that in the near future more companies will be moving toward the idea of "Security Gates" or whatever they may call them, where they will be a replacement for firewalls, IDSs and antiviruses, and put them all in one single appliance.

[me]

the idp can fail open or closed.  it's just that you have to buy an extra bypass unit (one per network segment) to achieve fail open.  (the bypass units are just 5gt boxes with a different version of screenos).

also the idp's can go fault-tolerant/ha

performance may be an issue depending on what type/volume of traffic is crossing the wire.

[dkillion]

What I meant by 'fail open' perhaps was bad wording = basically if the packet isn't tripped by any policy, the packet sails through.  At this point, it's not very easy to say "If it matches 'ATTACK-X' then let it through, otherwise, drop" - there aren't any "Happy Sigs".  The IDP only looks for bad, not for good.

Coming in 3.0 will be the power to negate a sig, including user-defineable sigs.  So one could make a sig on their own that said "DNS Request = mydomain.com", then negate it - now only "Approved" DNS requests would be permitted.  It's a lot easier to enumerate what's allowed, than try to imagine all the things that aren't allowed.  This a poor example, but you get the idea.

[Hugodrax]

Looks like the collision course is going  fullspeed. It was only a matter of times. Firewall technology has been long in the tooth for sometimes now and IDS although a useful tool is not really enough. I would say nextyear most major vendors will provide layer 7 firewall rules support.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Netscreen 5xp by timeshadowrider [Today at 11:51:22 AM]
• UAC, PXE and SMS with Ody... by Snok [Today at 10:38:28 AM]
• RDP, Web, etc Quit Workin... by darkonex [Today at 09:27:17 AM]
• Multicast routing enigma.... by Di4bLo [Today at 09:26:57 AM]
• integration of juniper fi... by everyourskishore [Today at 07:16:57 AM]
• Switching and forwarding ... by rafibd71 [Today at 01:46:52 AM]
• SRX LDAP server function ... by littlething [Yesterday at 11:43:13 PM]
• Branch office VPN to Lan ... by holdenga [Yesterday at 11:29:04 PM]
• Netscreen-10 and 5GT peer... by lil_tud [Yesterday at 08:19:51 PM]
• 2 ISP's and routing by DubBhoy [Yesterday at 10:13:39 AM]

Members

• Total Members: 20486
• Latest: Snok

Stats

• Total Posts: 38002
• Total Topics: 9817
• Online Today: 65
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 2
Guests: 45
Total: 47

timeshadowrider
wjens