nanog mailing list archives

Re: Checkpoint IPS

From: Terry Baranski <terry.baranski.list () gmail com>
Date: Thu, 5 Feb 2015 14:29:39 -0500

On 6 Feb 2015, at 1:40pm, Roland Dobbins wrote:

*Real* security mostly consists of *doing things*.  It requires skilled,

experienced

people who have both broad and deep expertise across the entire OSI

model, are

well-versed in architecture and the operational arts, and who understand

all the

implications of scale.


And if there's one person qualified to comment on what "real security" is,
it's a person who has "never heard a plausible anecdote of [IPS] devices
actually 'preventing' anything." :-)

-Terry

On Thu, Feb 5, 2015 at 1:40 PM, Roland Dobbins <rdobbins () arbor net> wrote:


On 6 Feb 2015, at 1:26, Matthew Huff wrote:

 Like it's been said before, I strongly support my competitors following

your advice.


Sorry - I've done the jobs, all of them.  They can be done properly, and
are done properly by clueful operators.

Oh, and what are operators who deploy these things supposed to do about
*vulnerabilities in these devices themselves*?  That's a huge problem, they
present a juicy attack surface, and exploits are discovered regularly.
That's in the presentation, as well.

I've heard these same tired arguments over and over again.  Folks tend to
change their tune when their entire production infrastructure is rendered
unavailable by a tiny DDoS which could be sourced from a single smartphone;
it's just sad that so many are only ready to listen and learn after they've
suffered serious production-impacting outages.

If all it took to achieve *real* security - as opposed to 'compliance' or
vendor marketing 'security' - were to write a check or cut a P.O. and drop
some middlebox/middleblade in the network, we wouldn't be in the permanent
state of security emergency in which we find ourselves.

*Real* security mostly consists of *doing things*.  It requires skilled,
experienced people who have both broad and deep expertise across the entire
OSI model, are well-versed in architecture and the operational arts, and
who understand all the implications of scale.

Unfortunately, such people are relatively rare, even within the
self-selected ranks of network operators - as several posts on this thread
clearly demonstrate.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>

Current thread:

RE: Re: Checkpoint IPS, (continued)
- - - RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
    - Re: Checkpoint IPS Colin Johnston (Feb 06)
    - RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
    - Re: Checkpoint IPS Colin Johnston (Feb 06)
    - RE: Checkpoint IPS Raymond Burkholder (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - RE: Checkpoint IPS Matthew Huff (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - RE: Checkpoint IPS Matthew Huff (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - Re: Checkpoint IPS Terry Baranski (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - Re: Checkpoint IPS Joel Maslak (Feb 06)
    - Re: Checkpoint IPS Michael Hallgren (Feb 05)