Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Inside NIP Hype

Our position puts us in the minority: Though we think NIP systems can enhance an existing security infrastructure, we don't consider integrating intrusion prevention and firewalls into a single unit a desirable goal.

Firewalls have a largely static configuration: Firewall administrators define what is acceptable traffic and use the features of the firewall to instantiate this policy. Some firewalls provide better protection features than others--for example, an HTTP application-level proxy is far superior to an HTTP stateful packet-filtering firewall at blocking malicious attacks--but the basic idea is the same: Your firewall administrator can be confident that only allowable traffic will pass through. If you have doubts about your firewall, get a new one from a different vendor, send your firewall administrator to Firewall Admin 101, or get a new firewall administrator.

Not surprisingly, when we asked you why you're not blocking traffic using NID (network-based intrusion-detection) systems, 63 percent of you said you use a firewall to determine legitimate traffic (see E-Mail Poll results).

But people make mistakes, so misconfigured firewalls are a common source of network insecurity. This simple fact has been used as a selling point for both intrusion-detection and -prevention systems, with vendors claiming their products will alert you to, or block, attacks that do get through.

The answer: Instead of layering on more hardware, solve the fundamental problem of misconfiguration. Unfortunately, though, it's not that simple. If you're enforcing traffic policy on your network using a stateful packet-filter firewall--such as Cisco Systems' PIX, Check Point Software Technologies' FireWall-1 or NetScreen's eponymous product--without security servers or kernel-mode features enabled, you should know that application-layer exploits, such as server-buffer overflows or directory-traversal attacks, will zoom right through. Stateful packet filters stop at Layer 4.

  • 1