nanog mailing list archives

Re: Checkpoint IPS

From: Joel Maslak <jmaslak () antelope net>
Date: Fri, 6 Feb 2015 08:25:27 -0700

On Thu, Feb 5, 2015 at 10:47 AM, Roland Dobbins <rdobbins () arbor net> wrote:


On 6 Feb 2015, at 0:38, Raymond Burkholder wrote:

There must some sort of value in that?


No - patch the servers.


Patching servers protects against >0 Day attacks only.

This does not protect against 0 day attacks, unless you know of an OS
vendor that writes good code without security holes.

What type of device needed depends on risk, what you are protecting, what
attacks are important, etc.  It's not a simple matter of "firewall bad" or
"firewall good".

I won't even get into the stateless-vs-stateful debate, because it's more
complex than "stateful bad" (*cough* SIP *cough*). Nor will I mention that
it depends on what your protecting to figure out how much of each of
availability or confidentiality or integrity you need - you might need lots
of integrity but little availability, for instance.

Current thread:

RE: Re: Checkpoint IPS, (continued)
- - - RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
    - Re: Checkpoint IPS Colin Johnston (Feb 06)
    - RE: Checkpoint IPS Raymond Burkholder (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - RE: Checkpoint IPS Matthew Huff (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - RE: Checkpoint IPS Matthew Huff (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - Re: Checkpoint IPS Terry Baranski (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - Re: Checkpoint IPS Joel Maslak (Feb 06)
    - Re: Checkpoint IPS Michael Hallgren (Feb 05)