Re: so, is I[dp]S a STUPID technology?

[Roland Dobbins <rdobbins () cisco com>]

Some interesting examples for campus LANs:

http://www.roxanne.org/~eric/blaster.html

http://www.nanog.org/mtg-0402/gauthier.html

http://security.uconn.edu/old_site/uconn_response.html


On Oct 13, 2005, at 3:09 AM, Barrie Dempster wrote:

> On Thu, 2005-10-13 at 09:11 +0530, Aditya Deshmukh wrote:
>
> > > How?  It's not like I know that Johnny is just about to plug in his
> > > brand-spanking new Suse box on my network.  I'm intrigued.
> > > Tell me more.
> >
> > DHCP with MAC binding comes to mind - but you need a method in place
> > for getting the MAC address approved and management of that beast in
> > A hell of a task itself....
>
>
> That has no relevance, they guy is talking about a campus network. So
> lets say his students all have to register their MACs whats to stop  
> them
> ramming an old version of an OS on the box, not updating the box  
> etc...
>
> Not to mention the tremendous overhead of trying to keep track of all
> the machines that come in and out of the uni during the year. A lot of
> wasted effort and it doesn't come close to addressing the problem.
>
> The problem being that the machines are outwith the network
> administrators control, they don't even belong to him or the network
> owners. It's more similar to an ISP/customer relationship than it  
> is to
> company/employee relationship. Therefore if the ISP wants to protect
> their network they have to make an effort to control the traffic from
> these machines. A .edu is one of the few cases I think I[P|D]S's are
> worth setting up. In a more controlled environment such as one  
> where the
> network admin team has administrative control over all of the  
> devices on
> the LAN then these technologies may not have the desired benefit.
>
> I do know a few of my clients have very rigorous schedules for how to
> deploy patches, but they will throw a signature in with little test as
> it's highly unlikely to break their application.
>
> As for the subject of the thread, it's a stupid technology when  
> deployed
> by stupid people. It can be an effective technology when deployed  
> in an
> environment where there is a need for it. There are many people that
> believe defense in depth type concepts require you to use every  
> security
> technology known to man in order to create a network with closely
> controlled security. This just isn't the case it's a matter of  
> defining
> the threats and defining the measures you will use to manage these
> threats. An I[D|P]S may or may not fit the bill for the needs of one
> scenario, this doesn't however rule the technology out completely for
> others.
>
> An analogy, because every body loves them!! There is a threat in my
> house, as in I have poisonous chemicals under my sink (the cleaning
> stuff). I have determined that an effective security measure would  
> be to
> add a latch to the cupboard that a young child couldn't open without
> help. This manages the risk of my kids drinking bleach. However if an
> adult breaks into my house and decides to steal my bleach I am not
> protected from that by this latch, other security measures may help  
> with
> that such as the locks on my doors or alarms/cameras etc.. However if
> someone gets past those mechanisms I'm not too worried about the  
> bleach
> since there are more worthwhile targets in the house. Compare this to
> the University network, we can hopefully be sure that the accounting
> systems will have adequate protection, constantly monitored, patched,
> tested etc.... Where the students machines aren't. The I[D|P]S in this
> case helps manage the risk of these less well defended machines  
> without
> being terribly intrusive and demanding full administrative control.  
> It's
> much more efficient for an I[D|P]S to handle these machines and let  
> the
> admin concentrate on the more serious mission critical infrastructure.
>
> It is entirely subjective. Now Honeypots - thats a STUPID  
> technology :-P
>
>
> --
> With Regards..
> Barrie Dempster (zeedo) - Fortiter et Strenue
>
> "He who hingeth aboot, geteth hee-haw" Victor - Still Game
>
> blog:  http://reboot-robot.net
> sites: http://www.bsrf.org.uk - http://www.security-forums.com
> ca:    https://www.cacert.org/index.php?id=3
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

-------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things.

                      -- Doug Gwyn
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.