IDS mailing list archives
RE: NIPS Vendors explicit answer
From: "Rob Shein" <shoten () starpower net>
Date: Wed, 28 Apr 2004 12:15:07 -0400
Comments inline...
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Wednesday, April 28, 2004 12:07 PM To: Rob Shein Cc: focus-ids () securityfocus com Subject: RE: NIPS Vendors explicit answer On Tue, 2004-04-27 at 10:39, Rob Shein wrote:I can answer this fairly easily. Bruce Schneier, amongother people,has been pointing out that the real measure of security is how gracefully it fails.I think that was in the context of "a failed component should fail safe and not become a threat to others" as opposed to "if a component fails, let's hope there is a second one catching it".
Actually, that's not what he meant. He was referring to things like the amount of damage caused when a component fails. One example he described was the case of a man who ran clear through the security checkpoint of an airport terminal; as a result, they had to shut down the entire terminal, affecting flights nationwide. In this case, things failed safe, but it was a disaster. This was an example of security not failing gracefully. His recommendation was to have more security checkpoints, and have them places so that each one covers a smaller section of the airport; that way a single failure won't take down half of LaGuardia, LAX, or Dulles.
In many large environments (like where I am right now)there can beconfusion as to who is responsible for which system; the system in question may go unpatched as a result. When there's an IPSon top ofeverything, it makes a big difference, because now you have another layer of defense to protect it.It seems that you have a failing/broken patch management system. I would put resources towards fixing that instead of adding yet another layer of band-aids (IPS).
Well, I don't see how I'm going to fix the fact that humans are involved, and inherently prone to mistakes. I'd have to show you the organizational management changes to explain further, but this was not a technical failure in my example.
Don't get me wrong, I see where it is useful. But the security community is starting to slap patches and products on top of one another without fixing the real symptoms. We are starting to believe that the mass of band-aids are a strong rope. It's like Microsoft adding patches on top of patches to fix broken patches while they should be going back and fix the underlying root causes.
And while they're doing that (which they aren't, by the way), what are the rest of us supposed to do in the meanwhile? :)
I think the same is happening with IPS. They are the solution to all problems, but not the cure. Yes, you protect your network from known (signature) or vastly abnormal (flows) vulnerability abuse. But the solution is only temporary unless it works, right? I'm trying to highlight the danger that we might not address the root causes (mainly fixing broken software, or broken patch management, or lax access controls, etc). The security industry is becoming more reactive than proactive. Heck, we're still reacting to viruses like we did 20 years ago. We still haven't found a way to prevent them in a proactive way. I think IPS will go the same route. With IPSes in place, our priorities are changing towards other issues and broken pieces are left in place because they are (currently) not dangerous protected by an IPS. And we may never go back to fix them because they don't pose as much of a perceived threat anymore (as I was hinting with my "complacent" comment earlier).
Bad people do bad things. I don't know of any really proactive solution to this fact that has ever been developed. If you consider car alarms, locks on doors, bulletproof glass, and burglar alarms to be reactive, then IPS is reactive too. If you consider them proactive, in that they are put in place to forestall, prevent or deter an attack, then so is IPS. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: NIPS Vendors explicit answer, (continued)
- RE: NIPS Vendors explicit answer Kohlenberg, Toby (Apr 12)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 26)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Message not available
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 28)
- RE: NIPS Vendors explicit answer Frank Knobbe (Apr 30)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 30)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: IDSes and known attacks (was: NIPS Vendors explicit answer) Drexx Laggui (Apr 28)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 28)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 28)