First and foremost, it is important for you to be able to tell the difference between a firewall, IPS/IDS, and a web application firewall. All three are important security devices that help protect your environment and sensitive data in different ways. A firewall will generally control who can access your system and who cannot. An IPS/IDS will detect invalid or malicious packets that match particular signatures (usually provided by a vendor). A web application firewall will not just inspect packets, but will actually inspect full request and responses at the application level.
The following are just a few of the benefits gained by having a web application firewall in your environment:
* A Web Application Firewall directly satisfies PCI Requirement 6.6 (from PCI DSS v2.0)
* Provides protection at a high level, detecting not only malicious events, but also code exploits as well as other network anomalies.
* Customizability. Web application firewalls generally provide flexible rule engines as well as multiple logging solutions and default detection actions.
Read the full post »
I have a lot of people come up to me and ask me whether they should use an IDS (Intrusion Detection System) or an IPS (Intrusion Prevention Service) in their environment. The terms typically refer to position in the network and how they act rather than physical device, as most IPS sensors today can work in both inline or in promiscuous mode. The answer really depends on your risk acceptance, objective and hardware you have. Let’s dive a little deeper to hopefully help you answer the question.
First, let’s talk about your objective. What is your objective for implementing this technology? Obviously, it is to add better protection in your network. Hopefully, this tool is just another layer in your defense in depth strategy. The main difference between IDS vs. IPS; IDS watches a copy of the traffic IPS watches the real traffic. So, I you want to be alerted of situations, and not affect real traffic, IDS may be for you. Problem here is that since IDS is only watching copied traffic, and alerting you on that, the real offending packet(s) have already passed to their intended target. Even if you have your IDS setup to update your firewall with blocking rules, the initial attack packet has already gone through. If you want to block an atomic attack (single packet attacked) that will get though the IDS, then maybe you should consider the IPS.
Read the full post »
Cisco’s IPS/IDS solution has come a long way over the last couple years. Recently, Cisco updated their software version to 7. With this came one exciting new feature: global correlation. This feature is available on the standalone IPS sensors, as well as the ASA sensor plugins on the 5510+ – to name just a few…
Read the full post »
With today’s sophisticated hacking methods, a solid defense is the only way to keep up. Intrusion detection and prevention solutions are a must, but Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have been painfully expensive. The cost of a reliable device has kept many sites vulnerable to attack, and has also been a major barrier for webmasters to comply with security requirements like PCI and HIPAA.
But recently, Cisco has updated the code base for their entry-level model firewall, the ASA5505, enabling their advanced IPS and IDS capabilities for the lower priced box. Some of the benefits include:
- Signature-based prevention and detection rules that check for updates daily. If the Cisco team identifies a threat, the ASA5505 can start protecting against it.
- Accurate detection of malicious traffic means that you never accidently lock out legitimate traffic while still guarding against a comprehensive list of known attack methods.
Read the full post »
