IDS mailing list archives
RE: NIPS Vendors explicit answer
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 28 Apr 2004 11:06:42 -0500
On Tue, 2004-04-27 at 10:39, Rob Shein wrote:
I can answer this fairly easily. Bruce Schneier, among other people, has been pointing out that the real measure of security is how gracefully it fails.
I think that was in the context of "a failed component should fail safe and not become a threat to others" as opposed to "if a component fails, let's hope there is a second one catching it".
In many large environments (like where I am right now) there can be confusion as to who is responsible for which system; the system in question may go unpatched as a result. When there's an IPS on top of everything, it makes a big difference, because now you have another layer of defense to protect it.
It seems that you have a failing/broken patch management system. I would put resources towards fixing that instead of adding yet another layer of band-aids (IPS). Don't get me wrong, I see where it is useful. But the security community is starting to slap patches and products on top of one another without fixing the real symptoms. We are starting to believe that the mass of band-aids are a strong rope. It's like Microsoft adding patches on top of patches to fix broken patches while they should be going back and fix the underlying root causes. I think the same is happening with IPS. They are the solution to all problems, but not the cure. Yes, you protect your network from known (signature) or vastly abnormal (flows) vulnerability abuse. But the solution is only temporary unless it works, right? I'm trying to highlight the danger that we might not address the root causes (mainly fixing broken software, or broken patch management, or lax access controls, etc). The security industry is becoming more reactive than proactive. Heck, we're still reacting to viruses like we did 20 years ago. We still haven't found a way to prevent them in a proactive way. I think IPS will go the same route. With IPSes in place, our priorities are changing towards other issues and broken pieces are left in place because they are (currently) not dangerous protected by an IPS. And we may never go back to fix them because they don't pose as much of a perceived threat anymore (as I was hinting with my "complacent" comment earlier). That's my beef with the whole issue and the reason I stepped into this thread. Regards, Frank (Disclaimer: I developed an "IPS" (I prefer the term intrusion reaction system), and use that and other IPS's myself. Yet it is my duty to play devil's advocate and think outside the box. Please chastise me for my thoughts in this thread, and not for who I am.)
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: NIPS Vendors explicit answer, (continued)
- Re: NIPS Vendors explicit answer christian graf (Apr 19)
- RE: NIPS Vendors explicit answer Kohlenberg, Toby (Apr 12)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 26)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Message not available
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 28)
- RE: NIPS Vendors explicit answer Frank Knobbe (Apr 30)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 30)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: IDSes and known attacks (was: NIPS Vendors explicit answer) Drexx Laggui (Apr 28)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 28)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 28)