funsec mailing list archives
Re: so, is I[dp]S a STUPID technology?
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 11 Oct 2005 17:13:35 -0500
--On Tuesday, October 11, 2005 23:38:29 +0200 Aviram Jenik <aviram () beyondsecurity com> wrote:
What if I *do* have a vulnerability and the IPS blocked the attack? Then I'm ahead of the game.On Tuesday, 11 October 2005 21:50, Paul Schmehl wrote:We're using TIppingpoint at the edge, and I can assure you it's in blocking mode. It's reduced the number of attacks we were seeing by over two thirds.[...]some of us have to actually deal with the crap floating around in the etherSee, this is what I don't get. I can understand the bored people (sorry Gadi) who want to log and monitor who attacks them and why. I _can't_ understand the busy people who are actually protecting their network, spending their time and money on silly IDS solutions. So you blocked 2/3 of the attacks. So what? Either those attacks were directed at vulnerabilities you have on your network, or they were futile attacks for services you have patched. If the second is true - why do you care? 0 successful attacks out of 1,000 is equivalent to 0 out of 3,000.
If the first is true, how do you know there wasn't a successful attack in that 1/3 that wasn't blocked by the IDS? Surely you don't want to roll the dice with those odds.
I'm in edu. We roll the dice every day. :-)
If you can recommend an *enterprise* capable vulnerability scanner (IOW one that I can schedule massive scanning events for a class A *and* class B network and then go look at the results when I have time) that doesn't cost more than my annual budget, then please do. I can guarantee you ISS is *not* it, and we spent a fortune (as fortunes go in edu) on the damn thing. It's completely worthless. I can't even successfully scan nine webservers with the damn thing.True, no solution is perfect, but Paul - why won't you use your IDS/IPS budget, and the time you spent configuring and installing it, in running a vulnerability scanner at regular basis (automatically, hopefully) and install a decent patch management system to make sure your systems are up to date?
Nessus? Nessus is useful on a one-off basis, but I need a vuln scanner that will work in the background, 24/7 and generate *useful* reports that tell me where my problems are. I'm not aware of one that does that that I can afford. Are you?
I think you are. And I'm not trying to be argumentative either. We all learn from each other because each of us have different skill sets and different exposures that color our outlooks.I'm not trying to be argumentative - I'm seriously trying to understand the logic. I must be missing something here.
In edu, I cannot guarantee you, even if I could five minutes ago, that I don't have vulnerabilities on my network. They come and go as fast as the students and faculty do. (Staff I can pretty much control.) What doesn't exist on my network now may well exist tomorrow. So, an IPS that blocks known attacks at the edge gives me an extra layer of protection against the idiots inside. It's as simple as that.
I could tell you stories, but you don't have the time, and neither do I. Suffice it to say that I'm vulnerable 100% of the time *somewhere* in my network, and I don't know it, because they *just* plugged the damn thing in.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- so, is I[dp]S a STUPID technology? Gadi Evron (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Jordan Wiens (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Aviram Jenik (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Blue Boar (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Aviram Jenik (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Jordan Wiens (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Blue Boar (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Blue Boar (Oct 12)
- Message not available
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Robert Edmonds (Oct 20)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 20)
- Re: so, is I[dp]S a STUPID technology? Eduardo Tongson (Oct 20)