IDS vs Leakproofing

Discussion in 'other firewalls' started by Diver, Jul 9, 2008.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    If one were to compare an IDS with a "leak proof" software firewall, on its simplest level the IDS is a blacklist while the leak proof firewall is a white list.

    As usual the devil is in the details. Because there are many possible ways to impersonate or use a white listed application to contact the internet, some of the new firewalls have HIPS built in to deal with these possibilities. There are many pop ups and a training period that never completely ends. It may be OK for a hobbyist who likes to test new firewalls, but it is not secretary proof. There are other issues, but the main one is too much responsibility is on the user who might make a mistake.

    The IDS is more like an AV. The difference is it looks for certain communication patterns that are consistent with malware operating. The detection is more behavioral and generic than that of an AV because it is much easier to change the package of the malware to avoid signature detection than it is to change its mode of communication. Of course the target must be in the IDS database.

    Note that either method involves post infection detection so that either might be defeated by malware that disables the firewall, sends "allow" messages or installs a communications driver to bypass the firewall.

    I prefer to not have to rely on the user to train the firewall, so I think IDS is a better idea. There are a few firewalls with IDS built in. The Sygate derived Symantec Endpoint Protection comes to mind. Avast AV has a lightweight IDS built in. There are stand alone Linux based IDS systems like Snort. Perhaps some of you know of other IDS programs that run on windows.

    Any thoughts on this, anyone?
     
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Not at all. It depends on implementation only, not on the HIPS (Behavior Analisis) concept. But yes, implementation can spoil all the fun ..
     
  3. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Diver, the newest version of Kerio (4.6) includes a network IDS comparable to Sygate.

    The IDS system has been greatly improved in that version! Give it a spin!

    Edit: Oh Kerio = Sunbelt btw
     
  4. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I am using Avast ATM.

    I had hoped to see some discussion of blacklist vs white list, but there are no takers. I believe this was originally posted in the firewall section, but the mods saw fit to move it here.
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Actually you posted it to the anti-virus forum which did not seem to be the appropriate place.

    So a coin was flipped....anti-malware forum(IDS) or firewall forum(leak proofing) and I reckon you see who won. You tell me which of the two appropriate forums you would like it to be in and we'll accomodate ?
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    As for me, I do not believe in the lists, either they are white or black, it doesn't matter. Any list is "postfactum".
     
  7. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Well, I thought I put it in the Firewall forum, my mistake. I suppose the best place for it would be the firewall forum, although so far not that much interest in the topic.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Someone please correct me if I'm wrong, but when I hear the term "IDS", I have always thought of inbound protection. For example, the IDS and associated rules in the old Tiny Firewall Pro. Snort for example. To my mind, IDS doesn't handle outbound at all, just inbound. It looks for "intrusions" coming from the internet inbound, "attacks" as it were. I believe the IDS rules in Sygate also only watched for inbound "attacks".

    So to get back to the original topic/thread subject line, the two terms aren't talking about the same thing. IDS is inbound, Leakproofing usually refers to outbound.

    This is my understanding anyhow, but I am willing to stand corrected if I've got it wrong... :)
     
  9. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    K-

    That's a good point. Honestly, I don't know. There is a lot of black art in security. Anyone really know how AV "heuristics" work, beyond flagging packed/encrypted files?
     
Thread Status:
Not open for further replies.