RE: NIPS Vendors explicit answer

[Frank Knobbe <frank () knobbe us>]

On Tue, 2004-04-27 at 10:39, Rob Shein wrote:
> I can answer this fairly easily.  Bruce Schneier, among other people, has
> been pointing out that the real measure of security is how gracefully it
> fails.

I think that was in the context of "a failed component should fail safe
and not become a threat to others" as opposed to "if a component fails,
let's hope there is a second one catching it".

>   In many large environments (like where I am right now) there can be
> confusion as to who is responsible for which system; the system in question
> may go unpatched as a result.  When there's an IPS on top of everything, it
> makes a big difference, because now you have another layer of defense to
> protect it. 

It seems that you have a failing/broken patch management system. I would
put resources towards fixing that instead of adding yet another layer of
band-aids (IPS).

Don't get me wrong, I see where it is useful. But the security community
is starting to slap patches and products on top of one another without
fixing the real symptoms. We are starting to believe that the mass of
band-aids are a strong rope. It's like Microsoft adding patches on top
of patches to fix broken patches while they should be going back and fix
the underlying root causes.

I think the same is happening with IPS. They are the solution to all
problems, but not the cure. Yes, you protect your network from known
(signature) or vastly abnormal (flows) vulnerability abuse. But the
solution is only temporary unless it works, right? I'm trying to
highlight the danger that we might not address the root causes (mainly
fixing broken software, or broken patch management, or lax access
controls, etc).

The security industry is becoming more reactive than proactive. Heck,
we're still reacting to viruses like we did 20 years ago. We still
haven't found a way to prevent them in a proactive way. I think IPS will
go the same route. With IPSes in place, our priorities are changing
towards other issues and broken pieces are left in place because they
are (currently) not dangerous protected by an IPS. And we may never go
back to fix them because they don't pose as much of a perceived threat
anymore (as I was hinting with my "complacent" comment earlier).

That's my beef with the whole issue and the reason I stepped into this
thread.

Regards,
Frank


(Disclaimer: I developed an "IPS" (I prefer the term intrusion reaction
system), and use that and other IPS's myself. Yet it is my duty to play
devil's advocate and think outside the box. Please chastise me for my
thoughts in this thread, and not for who I am.)

Attachment: signature.asc
Description: This is a digitally signed message part