Home > Firewalls > Failure Modality Responses Different in Firewalls versus IPS devices?

Failure Modality Responses Different in Firewalls versus IPS devices?

September 2nd, 2007 Leave a comment Go to comments

I had an interesting email this last week from a former co-worker that I found philosophically interesting (if not alarming.)  It was slightly baited, but the sender is a smart cookie who was obviously looking for a little backup.

Not being one to shy away from discourse (or a good old-fashioned geek debate on security philosophy) I pondered the topic.

Specifically, the query posed was centered on a suggested diametrically-opposed set of opinions on how, if at all, IPS devices and firewalls ought to behave differently when they fail:

I was having a philosophical discussion with [He who shall not be named]
today about uptime expectations of IPS vs. Firewall. The discussion was
in reference to a security admin's expectation of IPS "upness" vs. Firewall's.

Basic question: if a firewall goes down we naturally expect it to BLOCK
all traffic. However, if an IPS goes down, the prevailing theory is that
the IPS should ALLOW all traffic, or in other words fail open.

[He who shall not be named] says this is because best practices say that
a firewall is a default DENY ALL device, whereas an IPS is a default ALLOW ALL

My thinking is trying to be a little more progressive. If Firewalls
protect at Layer 3 and IPSes at L4-7, then why would you open yourself
up at L4-7 when the device fails? I know that the concept of "firewall"
is morphing these days especially to include more L4-7 inspection. But
the question is the same. Are security admins starting to consider
protocol and payload analysis as important as IP and Port protection? Or
are we all still playing with sticks and fire in the mud?

I know you're all focused on virtualization these days, but how about a
good old religious firewall debate!

I responded to this email with my own set of beliefs and foundational arguments which challenged several of the statements above, but I’m interested in two things from you, dear reader, and hope you’ll comment back with your opinions:

  1. Do you recognize that there are two valid perspectives here?  Would you fail open on one and closed on another?
  2. If your answer to question #1 is yes, which do you support and why?

You can assume, for sake or argument, that you have only a firewall, only an IPS or both devices in-line with one-another.   Talk amongst yourselves…

General comments on the setup are also welcomed 😉


Categories: Firewalls Tags:
  1. September 3rd, 2007 at 04:36 | #1

    Hmm, really good question. I think that secretly I have been very hesitant to rely on the P part of our IPS. It doesn't block the same things that our firewall does (as you mentioned). It seems to me that an IPS is a great way to dynamically shoot yourself in the foot (as well as to maliciously split an infinitive). In our neck of the woods, we've pretty much decided to keep the IPS lightly configured and then let it fail closed, with the argument that the stuff we've put in to block, we really want to block.
    So for the purposes of resiliency, we treat it like another layer of firewall.
    HTH, YMMV, and other signoff acronyms.

  2. September 3rd, 2007 at 17:49 | #2

    I'll go with the classic cop-out answer- "it depends". It depends on your network, what you are protecting, how your IPS is configured and more. Is your IPS really a well-tuned system, or just an IDS with an attitude? I certainly believe in configuring my firewalls to fail closed, but if I could really secure all of my hosts could it fail open? If I could really tune an IPS to my network it should fail closed without much pain.
    I know, embrace the sprawl, use two IPS systems: one configured with black-and-white rules that can fail closed and another to cover the shades of grey which would fail open.

  3. September 4th, 2007 at 05:38 | #3

    In most configurations, having the firewall fail open creates a HUGE attack surface, whereas the attack surface doesn't change nearly as much if the IPS fails open. This is really an apples-to-oranges comparison.

  4. September 4th, 2007 at 05:47 | #4

    @Tyler: I think it's a foregone conclusion that people are treating IPS's and Firewalls differently (even though one could argue that it's difficult to buy a "pure" firewall today that isn't an IPS and 8 other things…)
    You say apples versus oranges; I say fruit salad 😉 Look at how people are deploying these two solutions and where…
    While I won't argue that having a firewall fail open *could* be a big problem (where open means unfiltered) — assuming the NAT function is still working (unlikely,) but do you have any empirical data to backup this statement:
    "…the attack surface doesn't change nearly as much if the IPS fails open."
    One might infer that IPS's have a conspicuous value problem…

  5. September 4th, 2007 at 09:44 | #5

    I'm not sure what kind of empirical data would suffice here, or if I'm really following your question. I want to stay away from saying things like "it just stands to reason," but really it just stands to reason that I'm better protected against attacks if I block all traffic to a service than if I attempt to block specific types of attacks on that service.
    There's an additional gorilla in the room here, which is this: I trust my firewall because it's simple and generally not subject to trickery, while my IPS is stupid and easily fooled. Personally, I feel like the commercial signature-based IDS/IPS will be a thing of the past in the not-too-distant future. I think their value is suspect at best.
    I can't say I have any objective, empirical data to back this up, but my gut reaction is that the risk from a failed-open firewall is MUCH greater than the risk from a failed-open IPS. (And as you pointed out, I'm talking about only filtering going down while NAT continues to work for some reason.)

  6. aklo
    September 4th, 2007 at 15:03 | #6

    Perhaps it is the technology limitation: L4-7 blocking so far has not been sufficiently reliable to allow default deny.

  7. September 4th, 2007 at 17:34 | #7

    I was merely playing Devil's advocate. I share many of your opinions and concerns.
    I'll see how many more comments we get on the thread before I post my answer to the original email.

  8. September 5th, 2007 at 11:19 | #8

    What aklo said.

  9. NRC
    September 8th, 2007 at 12:36 | #9

    Isn't the issue here less about the technology but more about where we use these technologies today. Typically an IPS is desired to fail open as it is used on the corporate network and in the data center. If I had an IPs as part of my perimeter solution then yes I may very much want it to fail closed.
    I think this whole discussion becomes more complex with virtualisation because now we have firewalls on the internal network and we potentially have different streams of data, some internal, some external and some business partners. So with all this in mind I now want my security device to fail partially open, i.e. allow my internalusers to the DC but block external.
    I think the easy answer is what is the purpose of the control, and what is the risk you are trying to mitigate. If your firewall/IPS is simply another layer then the impact to the risk index of fail open may infact be quite small. On the other hand is the risk index is high then stop moaning about the cost and build in the HA solution that is required. If you design your network correctly then do you really need to fail open on anything?

  1. No trackbacks yet.