1 Reply Latest reply on Apr 21, 2015 12:46 AM by ilindblo

    NGFW: The differences between FW policy and IPS policy.

    TK45

      Hi,

       

      I have a fundamental question. I cannot understand the differences between FW policy and IPS policy.

      Generally, the differences is following I think.

      - FW policy is Layer3 operation and the access control based on IP address, port, service.

      - IPS policy is Layer2 operation and the access control based on signature.

       

      However, I cannot understand the differences on each policy creating screen.

       

      [FW policy]

      Setting tab are IPv4 Address, IPv6 Address, Inspection, IPv4 NAT, IPv6 NAT.

      FW.jpg

       

      [IPS policy]

      Setting tab are Ethernet, IPv4 Address, IPv6 Address, Inspection. I think there is no tab signature base policy is set.

      IPS.jpg

       

       

      Could you anyone help for my understanding?

       

      Thanks

      TK45

        • 1. Re: NGFW: The differences between FW policy and IPS policy.

          Hello

           

          The terminology here is as follows:

           

          - Firewall is a layer 3 routing device which can do access control and deep inspection (amongst other things).

          - IPS is a layer 2 non-routing (transparent) device which can do access control and deep inspection.

           

          Both have access rules that allow/deny traffic based on IP or transport protocol headers. So the IPS or firewall policy element has same function for both types of devices. Big difference is that IPS access policy allows traffic by default, while FW policy denies it.

           

          Filtering based on signature, or flow content, is what we call "deep inspection". It can be done on both IPS and firewall engines. In both, it is controlled with element "inspection policy", which is referred to on the inspection tab of both FW and IPS policies.

           

          Difference between firewall and IPS devices is not in their ability to do inspection, but in their deployment (L3/L2) and their default action (deny/allow).