nanog mailing list archives
Re: Checkpoint IPS
From: Terry Baranski <terry.baranski.list () gmail com>
Date: Thu, 5 Feb 2015 14:29:39 -0500
On 6 Feb 2015, at 1:40pm, Roland Dobbins wrote:
*Real* security mostly consists of *doing things*. It requires skilled,
experienced
people who have both broad and deep expertise across the entire OSI
model, are
well-versed in architecture and the operational arts, and who understand
all the
implications of scale.
And if there's one person qualified to comment on what "real security" is, it's a person who has "never heard a plausible anecdote of [IPS] devices actually 'preventing' anything." :-) -Terry On Thu, Feb 5, 2015 at 1:40 PM, Roland Dobbins <rdobbins () arbor net> wrote:
On 6 Feb 2015, at 1:26, Matthew Huff wrote: Like it's been said before, I strongly support my competitors followingyour advice.Sorry - I've done the jobs, all of them. They can be done properly, and are done properly by clueful operators. Oh, and what are operators who deploy these things supposed to do about *vulnerabilities in these devices themselves*? That's a huge problem, they present a juicy attack surface, and exploits are discovered regularly. That's in the presentation, as well. I've heard these same tired arguments over and over again. Folks tend to change their tune when their entire production infrastructure is rendered unavailable by a tiny DDoS which could be sourced from a single smartphone; it's just sad that so many are only ready to listen and learn after they've suffered serious production-impacting outages. If all it took to achieve *real* security - as opposed to 'compliance' or vendor marketing 'security' - were to write a check or cut a P.O. and drop some middlebox/middleblade in the network, we wouldn't be in the permanent state of security emergency in which we find ourselves. *Real* security mostly consists of *doing things*. It requires skilled, experienced people who have both broad and deep expertise across the entire OSI model, are well-versed in architecture and the operational arts, and who understand all the implications of scale. Unfortunately, such people are relatively rare, even within the self-selected ranks of network operators - as several posts on this thread clearly demonstrate. ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- RE: Re: Checkpoint IPS, (continued)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Checkpoint IPS Raymond Burkholder (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Terry Baranski (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Joel Maslak (Feb 06)
- Re: Checkpoint IPS Michael Hallgren (Feb 05)