nanog mailing list archives
Re: Checkpoint IPS
From: Joel Maslak <jmaslak () antelope net>
Date: Fri, 6 Feb 2015 08:25:27 -0700
On Thu, Feb 5, 2015 at 10:47 AM, Roland Dobbins <rdobbins () arbor net> wrote:
On 6 Feb 2015, at 0:38, Raymond Burkholder wrote:There must some sort of value in that?No - patch the servers.
Patching servers protects against >0 Day attacks only. This does not protect against 0 day attacks, unless you know of an OS vendor that writes good code without security holes. What type of device needed depends on risk, what you are protecting, what attacks are important, etc. It's not a simple matter of "firewall bad" or "firewall good". I won't even get into the stateless-vs-stateful debate, because it's more complex than "stateful bad" (*cough* SIP *cough*). Nor will I mention that it depends on what your protecting to figure out how much of each of availability or confidentiality or integrity you need - you might need lots of integrity but little availability, for instance.
Current thread:
- RE: Re: Checkpoint IPS, (continued)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Checkpoint IPS Raymond Burkholder (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Terry Baranski (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Joel Maslak (Feb 06)
- Re: Checkpoint IPS Michael Hallgren (Feb 05)