IDS mailing list archives
Re: ROI on IDS/IPS products
From: Ravi Chunduru <ravi.is.chunduru () gmail com>
Date: Thu, 5 Mar 2009 17:56:04 -0800
Nice post. How does one find out misconfgured Firewalls and NAT boxes using IPS? Ravi On Thu, Mar 5, 2009 at 9:01 AM, Joel M Snyder <Joel.Snyder () opus1 com> wrote:
Speaking to the roi, someone already observed that in at least one environment it was concluded that patch management was addressing an overlapping set of low hanging fruit and that therefore the ips was no longer earning it's keep.As an interesting coincidence, I advised a client on that last night: they were being told that their managed firewall on a 20 person branch office was being jacked up from $100/month to $400/month because of the IPS, and I told them that if they put that money into better patch discipline, that it would be better spent. HOWEVER, I like to say in my lectures on IPS that focusing on the IPS as a way of preventing intrusion attacks tends to discount the huge value of the IPS. Personally, I have to agree with naysayers: sticking an IPS out near the firewall on a well managed network isn't going to catch much coming in. But there are LOTS of other wonderful things that the IPS will help tell you about, including: - internally infected systems - misconfigured applications - misconfigured firewalls - misconfigured routing - misconfigured NAT boxes (I see this A LOT) - network usage - data leaks - inappropriate applications or unknown applications And I see those as valuable and part of the IPS "earning its keep." The notion that a properly managed IDS at TJX would have saved them the embarrassment of their data breach is a fiction promoted only by people who don't understand what IPS/IDS does but do want to sell you something. I have some graphs which, in words, essentially say this: - chances someone will break into your network: about 1% - chances that an IPS would have caught it: about 20% (in other words: with a firewall and good patch discipline, it probably won't happen to you, and if it does, the IPS probably won't catch it) AND - chances you have a security problem on your network: 100% - chances an IPS will help you discover and fix these: 100% When I tell clients they need/want/should have an IPS, it's not because of some motivated external attacker this will help, but it's because they need better security visibility in their network and they don't have it. I have a long-standing bet which I have never lost that says if we put an IDS on your network, I can guarantee that it will tell you something about your security that you didn't know, but should. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms () Opus1 COM http://www.opus1.com/jms
Current thread:
- Re: ROI on IDS/IPS products, (continued)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Message not available
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 03)
- Re: ROI on IDS/IPS products Scott (Mar 03)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 05)
- Re: ROI on IDS/IPS products Ravi Chunduru (Mar 06)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 06)
- RE: ROI on IDS/IPS products Kirk, James P. (Mar 05)