funsec mailing list archives
Re: so, is I[dp]S a STUPID technology?
From: Roland Dobbins <rdobbins () cisco com>
Date: Thu, 13 Oct 2005 12:59:35 -0700
Some interesting examples for campus LANs: http://www.roxanne.org/~eric/blaster.html http://www.nanog.org/mtg-0402/gauthier.html http://security.uconn.edu/old_site/uconn_response.html On Oct 13, 2005, at 3:09 AM, Barrie Dempster wrote:
On Thu, 2005-10-13 at 09:11 +0530, Aditya Deshmukh wrote:How? It's not like I know that Johnny is just about to plug in his brand-spanking new Suse box on my network. I'm intrigued. Tell me more.DHCP with MAC binding comes to mind - but you need a method in place for getting the MAC address approved and management of that beast in A hell of a task itself....That has no relevance, they guy is talking about a campus network. Solets say his students all have to register their MACs whats to stop them ramming an old version of an OS on the box, not updating the box etc...Not to mention the tremendous overhead of trying to keep track of all the machines that come in and out of the uni during the year. A lot of wasted effort and it doesn't come close to addressing the problem. The problem being that the machines are outwith the network administrators control, they don't even belong to him or the networkowners. It's more similar to an ISP/customer relationship than it is tocompany/employee relationship. Therefore if the ISP wants to protect their network they have to make an effort to control the traffic from these machines. A .edu is one of the few cases I think I[P|D]S's areworth setting up. In a more controlled environment such as one where the network admin team has administrative control over all of the devices onthe LAN then these technologies may not have the desired benefit. I do know a few of my clients have very rigorous schedules for how to deploy patches, but they will throw a signature in with little test as it's highly unlikely to break their application.As for the subject of the thread, it's a stupid technology when deployed by stupid people. It can be an effective technology when deployed in anenvironment where there is a need for it. There are many people thatbelieve defense in depth type concepts require you to use every securitytechnology known to man in order to create a network with closelycontrolled security. This just isn't the case it's a matter of definingthe threats and defining the measures you will use to manage these threats. An I[D|P]S may or may not fit the bill for the needs of one scenario, this doesn't however rule the technology out completely for others. An analogy, because every body loves them!! There is a threat in my house, as in I have poisonous chemicals under my sink (the cleaningstuff). I have determined that an effective security measure would be toadd a latch to the cupboard that a young child couldn't open without help. This manages the risk of my kids drinking bleach. However if an adult breaks into my house and decides to steal my bleach I am notprotected from that by this latch, other security measures may help withthat such as the locks on my doors or alarms/cameras etc.. However ifsomeone gets past those mechanisms I'm not too worried about the bleachsince there are more worthwhile targets in the house. Compare this to the University network, we can hopefully be sure that the accounting systems will have adequate protection, constantly monitored, patched, tested etc.... Where the students machines aren't. The I[D|P]S in thiscase helps manage the risk of these less well defended machines without being terribly intrusive and demanding full administrative control. It's much more efficient for an I[D|P]S to handle these machines and let theadmin concentrate on the more serious mission critical infrastructure.It is entirely subjective. Now Honeypots - thats a STUPID technology :-P-- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: so, is I[dp]S a STUPID technology?, (continued)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Valdis . Kletnieks (Oct 12)
- RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Florian Weimer (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Valdis . Kletnieks (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 12)
- RE: so, is I[dp]S a STUPID technology? Barrie Dempster (Oct 13)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 13)
- RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- lalala [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- Re: lalala [was: Re: so, is I[dp]S a STUPID technology?] Valdis . Kletnieks (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)