IDS mailing list archives
RE: IDS\IPS that can handle one Gig
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Wed, 1 Jun 2005 09:11:56 -0700
Another option, and one that many organizations are beginning to
favor,
is to forget the current, "fashionable" notions of IPS and return to basics -- to focus more closely on vunerability and information management. I believe that if you have a comprehensive, continuous and meaningful flow of information about the environment and an effective vulnerability remediation program, the need for IPS appliances and agents (band-aids) can be reduced dramatically.
I hear this every now and then from security people, and I think this is an attitude borne out of lack of experience with IPS. I have yet to see an environment (and I am a consultant so I see hundreds per year) where there is an effective patch and vulnerability management that can keep pace with the exploits in the wild. Quite simply, it is impossible to think you can keep a large enterprise continuously patched and therefore resistant to the latest vulnerabilities. On average, it can take 20 to 30 days for an organization to roll out a single Microsoft Windows patch. That includes testing, troubleshooting, and deployment. In 30 days, your environment could be crawling with all sorts of filth thanks to unpatched machines. Furthermore, if you look at the timeline of when an vulnerability is "discovered", then when an exploit hits the streets - that time can be days, even hours. In that case, its still weeks before MS or anybody releases a patch, and then even more time before you could patch all your machines. In this case, even under reasonable, well controlled situation most organizations are three to six weeks out from patching systems when an exploit is released. That is a ridiculously long period of time. A period where that environment could become infested. Furthermore, a "comprehensive, continuous and meaningful flow of information about the environment" means eyeballs. Somebody needs to be watching that meaningful flow of information. And while highly trained security engineers are an important part of a security team - they won't work 24 hours day. People are the most important part of information security, but technology works longer hours. People also make mistakes and miss things. Its insane to think a security admin or a network admin has the time or concentration to sift through mountains of data everyday. Nobody will do that job for long - or do it well. Now, with a good IPS deployment, I can load up a signature update (hopefully released BEFORE the exploit hit the streets), and now my entire network is secure from the new exploit. I go home and rest easy. If I have host-IPS I can update all my workstations too. Now, my patch management team has time to roll-out patches in a more controlled and logical manner. They are not dashing around at 4AM trying to put out fires. IPS gives people control over their environment. And well-run IT departments have control over their equipment. They're not constantly flailing around or giving themselves impossible tasks. That much said, I agree that IPS is sometimes given unrealistic expectations. For this, I point the finger squarely at the legions of Blackberry pecking vendor reps and cell phone yacking volume resellers who say things like "If you're not using <insert technology here>, you're not secure!" (that's an actual line, from an actual ad I saw). These people could care less about security, they just want to sell something. So, they'll tell you anything you want to hear about an IPS. And they rely on the ignorance of IT departments to fall for marketing BS. However, when you peel away the sales people, I sincerely do not think IPS is some "fashionable notion." It's a serious and effective way to proactively defend a network. I've have seen the benefits. ___________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG public key available at: http://www.anitian.com/corp/keys.htm -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: IDS\IPS that can handle one Gig Andrew Plato (Jun 01)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 07)
- Re: IDS\IPS that can handle one Gig Control Zed (Jun 07)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 08)
- Re: IDS\IPS that can handle one Gig Terry Vernon (Jun 08)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- <Possible follow-ups>
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 01)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 04)