Re: Intrusion Prevention Systems

["Stephen P. Berry" <spb () meshuggeneh net>]

Andrew Plato writes:

> 2. IPS is hardly a "test lab device" or unproven technology. I have
> Guard units deployed all over the Pacific Northwest protecting critical
> mainframes, DMZs, and even some Linux clusters.  These units are like
> tanks with practically zero down-time and exceptional performance.
        [ Which is a distinctly un-tanklike behaviour.  But
          that's a different argument.  -spb ]
> In one case, a Guard unit is defending a particular client's credit card
> system - and it has blocked more script kiddies and hackers than I can
> well count. It is integrated with a comprehensive host-based IDS and
> some other NIDS and provides exceptional insight and capability for
> this customer.

Just because a mean old ugly hack works doesn't mean it ain't a mean old
ugly hack.

Maybe this is just general peevishness on my part, but I tend to think
that if a problem's been around long enough to have a works-well-enough-for-
me-to-trust-my-routing-to-it signature available, then it's been around
long enough for me to fix the actual problem itself.  I.e., patching the
vulnerable application, removing the vulnerable machine from the network,
or reprimanding the offending party or parties (i.e., by defenestration).
Rather than blithely leaving the vulnerable widget exposed to the big,
bad internet and relying on the security sangreal du jour to miracle the
bad traffic away.

The way I see it (and by `see' here I mean `grossly simplify for the
sake of the argument'), there are two main flavours of machine you might
want to protect with one of these gimcracks:

        -Critical services.  I.e., a company's online store or something
         like that.  If this thing goes down, some marketing droid
         immediately appears in your office/cube, and starts reciting
         figures about how the company starts losing nineteen megadoubloons
         a fortnight during outages.  So this is the stuff you're really
         worried about.
        -Random desktops.  I.e., everything else.  The mean time between
         outages depends on when the lusers last took their medication,
         and someone else fields the calls for this stuff.

Clearly, you really need to be architecting machines in the former group
from the ground up---for stability, performance, and (on a good day)
security---and the latter group contains the ones that are expected to get
their security in the form of band-aids and bailing wire applied ad hoc as
problems develop.  

In the case of something like a firewall, you generally discover that
the places where you get the most utility are the places
where you are -least- concerned about the protected assets---because the
critical assets are already secure-by-design and so don't get much out
of the secure-by-workaround nature of bolt-on security widgets like
firewalls.  I think the situation with IPSes is isomorphic.  

Now I'm not suggesting that it's worthless or -harmful- to deploy an IPS
in such a situation---just that there isn't much to justify the pain and
expense of such a deployment.  If this is -not- the case, then I'd submit
that you've probably made a nonzero number of GCEs in the implementation
of your network.





-spb

Attachment: _bin
Description: