Failure Modality Responses Different in Firewalls versus IPS devices?
I had an interesting email this last week from a former co-worker that I found philosophically interesting (if not alarming.) It was slightly baited, but the sender is a smart cookie who was obviously looking for a little backup.
Not being one to shy away from discourse (or a good old-fashioned geek debate on security philosophy) I pondered the topic.
Specifically, the query posed was centered on a suggested diametrically-opposed set of opinions on how, if at all, IPS devices and firewalls ought to behave differently when they fail:
I was having a philosophical discussion with [He who shall not be named]
today about uptime expectations of IPS vs. Firewall. The discussion was
in reference to a security admin's expectation of IPS "upness" vs. Firewall's.
Basic question: if a firewall goes down we naturally expect it to BLOCK
all traffic. However, if an IPS goes down, the prevailing theory is that
the IPS should ALLOW all traffic, or in other words fail open.
[He who shall not be named] says this is because best practices say that
a firewall is a default DENY ALL device, whereas an IPS is a default ALLOW ALL
My thinking is trying to be a little more progressive. If Firewalls
protect at Layer 3 and IPSes at L4-7, then why would you open yourself
up at L4-7 when the device fails? I know that the concept of "firewall"
is morphing these days especially to include more L4-7 inspection. But
the question is the same. Are security admins starting to consider
protocol and payload analysis as important as IP and Port protection? Or
are we all still playing with sticks and fire in the mud?
I know you're all focused on virtualization these days, but how about a
good old religious firewall debate!
I responded to this email with my own set of beliefs and foundational arguments which challenged several of the statements above, but I’m interested in two things from you, dear reader, and hope you’ll comment back with your opinions:
- Do you recognize that there are two valid perspectives here? Would you fail open on one and closed on another?
- If your answer to question #1 is yes, which do you support and why?
You can assume, for sake or argument, that you have only a firewall, only an IPS or both devices in-line with one-another. Talk amongst yourselves…
General comments on the setup are also welcomed