RE: so, is I[dp]S a STUPID technology?

["Kyle Quest" <Kyle.Quest () networkengines com>]

> To be clear, I don't do 'Cisco talk' - several vendors make scrubbing  
> boxes, just as several vendors (including Cisco) make firewalls and IDS.

It sure does sound like it though... It's ok though. It's hard to avoid
it once you're in the cisco mindset.

> Small businesses can't rely upon in-line firewalls or IDS to defend  
> themselves against DDoS, either, in my experience.  Those are  
> primarily policy-enforcement devices, and irrespective of their other  
> possible merits, they generally aren't optimized for dealing with  
> DDoS (marketing claims aside).

Maybe we're a little bit off on the difinitions. Given that you
haven't defined what in-line firewalls (are there such things
as off-line firewalls I wonder :-] ) and in-line IDS are,
it's hard for me to be completely subjective. Either way,
I wasn't talking about those (if you're talking about what I'm thinking)... 
I was talking about specialized IPS systems designed to handle 
(D)DoS flood attacks. And if you meant those as well when you said 
"in-line firewalls or IDS", then I would have to disagree with you 
and suggest that you expand your "experience". There are indeed 
environments and deployments when a single (or an array of) in-line 
(D)DoS IPS systems work great at mitigating (D)DoS attacks and 
that's no marketing claims... Obviously, there are cases when they
don't work well. I'm not claiming otherwise.







_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.