Let me start by stating that much of what I’m about to cover was seeded by a wonderful talk I heard by Marcus Ranum back in 2003. Since then I’ve been sort of mulling everything over, and here are the basic ideas:
From Marcus’s talk:
- Q: What does a packet filter do? A: Looks at a few parts of packet headers and decides if it is bad. If it is, it drops it.
- Q: What does a stateful firewall do? A: Looks at a more of a packet and decides if it’s bad. It uses the loose concept of “state” to help it. If it’s deemed inappropriate, it gets discarded.
- Q: What does an IDS do? A: Looks at a bunch of stuff in the packet and decides if it’s bad or not based on signatures and/or some heuristics. If it’s bad, it notifies you.
- Q: What does an IPS do? A: Looks at a bunch of stuff in the packet and decides if it’s bad or not based on signatures and/or some heuristics. If it’s bad, it drops the traffic and/or notifies you.
Marcus went on to ask: what’s the difference between these supposedly fundamentally different technologies? The answer was clear — not much. They’re all doing some sort of detection and then performing an action based on the result.
(Here I’m going off on my own tangent so I’ll leave Marcus out of this)
So, ultimately there’s very little difference between a rudimentary packet filter from 10 years ago and a modern IPS. I see all these devices becoming one; I think a good name would be a “Security Check Point”, or a security “Gateway”.
The point is that in the future you won’t have to isolate these different technologies. You’ll just lay down a diagram of your environment and decide where you want filtering. Virtually every device on your network will be able to do all of these functions. All the way from the border router to the workstation.
This is the next evolution in the security space, I think. It’s even more advanced than NAC. Essentially, all pivot points and end hosts in the enterprise are part of the collective. The SIM/SEM functions as the brain. If there are performance issues then one type of security or another can be disabled on various pivots as needed, but in general all pivots will be able to perform all functions.
When an incident occurs, the system will simply isolate the problem by implementing ACLs on the nearest pivot point. If it wanted to, it could even push security information down to all other systems in the enterprise. To the security system, routers, firewalls, workstations, servers — they’re all the same. They’re just security nodes with various properties. Imagine object-oriented programming.
Using this model a security engineer could look at their network and simply assign logical security zones based on trust. The software would do the rest. The hardware at that point becomes transparent. It’s just carrying out the conceptual wishes of the engineer. I imagine an interface like the one in Minority Report, with a large view of the network infrastructure being displayed:
These here are all trust level 3… (dragging and dropping with arm motions). This here is a priority filter (points at a central hub, holds, and selects from a dynamic context menu). Trust level 0 resides here (pointing at a cluster of server nodes). All surrounding filters move to sensitivity 9 and associate reporting procedures with the existing standard.
So basically, you design how you want it to work, and the devices just make it happen. There’s no need for this kind of firewall or that kind of IDS — all security devices will merge into one — with each of them being able to do all filtering. The only reason they were separate was because they came into existence independently and there were performance issues. As these issues fade away there will be no reason whatsover to keep their functions separate.
Anyway, just a few thoughts…
[ UPDATE: The way I’d characterize it now in 2015 is that all security filters do two things: look for something, and take an action. Whether it’s a router or a layer 15 cross-port heuristic AI platform, that’s all we’re doing. We just get better at doing one or both of those things. ]