Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection

[Nelson Brito <nbrito () sekure org>]

Comments are inline!

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG® SQL Fingerprint™ downloading it  
from Google Code (http://code.google.com/p/mssqlfp/) or from  
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an  iPhone wireless device. Please, forgive any potential  
misspellings!

On Jun 1, 2010, at 9:52 AM, "Cor Rosielle" <cor () outpost24 com> wrote:

> Nelson,
>
> > You're missing one point: Host IPS MUST be deployed with any Network
> > Security (Firewalls os NIPSs).
> Please be aware this is a risk decision and not a fact. I don't use  
> an host IPS and no anti Virus either. Still I'm sure my laptop is  
> perfectly safe. This is because I do critical thinking about  
> security measures and don't copy behavior of others (who often don't  
> think for themselves and just copies other peoples behavior). Please  
> note I'm not saying you're not thinking. If you did some critical  
> thinking and an host IPS is a good solution for you, then that's OK>  
> It just doesn't mean it is a good solution for everybody else and  
> everybody MUST deploy an host IPS.

That's so 1990! NIPS and/or Firewall just protect you if you're inside  
the "borders"... But, come on. Who doesn't have a laptop nowadays? So,  
multiple protection layers is better than none, anyways.

You have choices when adopting a security posture or, if you prefer,  
risk posture. I believe that it's quite difficult and almost  
impossible you stay updated with all the threads, due to exponential  
growth of them.

> > No security solution/technology is the miracle protection alone,
> That's true.
>
> > so that's the reason everybody is talking about defense in depth.
> Defense in depth is often used for another line of a similar defense  
> mechanism as the previous already was. Different layers of defense  
> works best if the defense mechanism differ. So if you're using anti  
> virus software (which gives you an authentication control and an  
> alarm control according to the OSSTMM), then an host IDS is not the  
> best additional security measure (because this also gives you an  
> authentication and an alarm control).

Woowoo.. I cannot agree with you, because AV has nothing to do  
protecting end-point against network attacks. AV will alert and  
protect only when the thread already reached your end-point. Besides,  
there are other layers, such as: buffer overflow protection inside  
HIPS. Look that I am not talking abous IDS. 8)

> This would also be a risk decision, but based on facts and the rules  
> defined in the OSSTMM and not based on some marketing material. You  
> should give it a try.

It always is a risk decision, and I not basing MHO on any "standard",  
that's based on my background... And, AFAIK, nodoby can expect that  
users and/or server systems will be able to apply all or any update in  
a huge environment.

> Regards,
> Cor Rosielle
>
> w: www.lab106.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/