funsec mailing list archives
Re: so, is I[dp]S a STUPID technology?
From: Roland Dobbins <rdobbins () cisco com>
Date: Tue, 11 Oct 2005 15:49:18 -0700
To be clear, I don't do 'Cisco talk' - several vendors make scrubbing boxes, just as several vendors (including Cisco) make firewalls and IDS.
Small businesses can't rely upon in-line firewalls or IDS to defend themselves against DDoS, either, in my experience. Those are primarily policy-enforcement devices, and irrespective of their other possible merits, they generally aren't optimized for dealing with DDoS (marketing claims aside).
On Oct 11, 2005, at 3:35 PM, Kyle Quest wrote:
Routers and switches, when configured correctly, are generally more resilient to DDoS than devices which maintain lots of state, like inline IDS and firewalls. Inline IDS and firewalls are not generally good tools to rely upon for DDoS mitigation; RTBH, purpose-built boxes, and even reaction ACLs are generally better choices.I'm not sure what you mean by purpose-built boxes (DoS mitigation boxes perhaps?)... but I do detect the cisco talk in your reply :-) It's definitely a good idea to use all available technologies. Sometimes you have more, sometimes you have less at your disposal. That needs to be taken into consideration as well. If you are a service provider you can use the "defending network" approach, but if you are a small business then you don't have much reach into the overall networking infrastructure... Just so it's clear, I'm not at all saying that IDS-based IPS solutions can do a good job at dealing with DoS attacks. The IPS solutions need to be designed specifically for dealing with (D)DoS flood attacks. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: so, is I[dp]S a STUPID technology?, (continued)
- RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- lalala [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- Re: lalala [was: Re: so, is I[dp]S a STUPID technology?] Valdis . Kletnieks (Oct 11)
- lalala [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Young, Keith (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Dave Hawkins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 13)