IDS mailing list archives
Re: Intrusion Prevention Systems
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Wed, 30 Oct 2002 12:09:54 -0800
Andrew Plato writes:
2. IPS is hardly a "test lab device" or unproven technology. I have Guard units deployed all over the Pacific Northwest protecting critical mainframes, DMZs, and even some Linux clusters. These units are like tanks with practically zero down-time and exceptional performance.
[ Which is a distinctly un-tanklike behaviour. But that's a different argument. -spb ]
In one case, a Guard unit is defending a particular client's credit card system - and it has blocked more script kiddies and hackers than I can well count. It is integrated with a comprehensive host-based IDS and some other NIDS and provides exceptional insight and capability for this customer.
Just because a mean old ugly hack works doesn't mean it ain't a mean old ugly hack. Maybe this is just general peevishness on my part, but I tend to think that if a problem's been around long enough to have a works-well-enough-for- me-to-trust-my-routing-to-it signature available, then it's been around long enough for me to fix the actual problem itself. I.e., patching the vulnerable application, removing the vulnerable machine from the network, or reprimanding the offending party or parties (i.e., by defenestration). Rather than blithely leaving the vulnerable widget exposed to the big, bad internet and relying on the security sangreal du jour to miracle the bad traffic away. The way I see it (and by `see' here I mean `grossly simplify for the sake of the argument'), there are two main flavours of machine you might want to protect with one of these gimcracks: -Critical services. I.e., a company's online store or something like that. If this thing goes down, some marketing droid immediately appears in your office/cube, and starts reciting figures about how the company starts losing nineteen megadoubloons a fortnight during outages. So this is the stuff you're really worried about. -Random desktops. I.e., everything else. The mean time between outages depends on when the lusers last took their medication, and someone else fields the calls for this stuff. Clearly, you really need to be architecting machines in the former group from the ground up---for stability, performance, and (on a good day) security---and the latter group contains the ones that are expected to get their security in the form of band-aids and bailing wire applied ad hoc as problems develop. In the case of something like a firewall, you generally discover that the places where you get the most utility are the places where you are -least- concerned about the protected assets---because the critical assets are already secure-by-design and so don't get much out of the secure-by-workaround nature of bolt-on security widgets like firewalls. I think the situation with IPSes is isomorphic. Now I'm not suggesting that it's worthless or -harmful- to deploy an IPS in such a situation---just that there isn't much to justify the pain and expense of such a deployment. If this is -not- the case, then I'd submit that you've probably made a nonzero number of GCEs in the implementation of your network. -spb
Attachment:
_bin
Description:
Current thread:
- Intrusion Prevention Systems Andrew Plato (Oct 28)
- Re: Intrusion Prevention Systems Stephen P. Berry (Oct 30)
- <Possible follow-ups>
- RE: Intrusion Prevention Systems Andrew Plato (Oct 31)
- Re: Intrusion Prevention Systems roy lo (Oct 31)
- Re: Intrusion Prevention Systems roy lo (Oct 31)
- Re: Intrusion Prevention Systems roy lo (Oct 31)