RE: NIPS Vendors explicit answer

["Rob Shein" <shoten () starpower net>]

Comments inline...

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us] 
> Sent: Wednesday, April 28, 2004 12:07 PM
> To: Rob Shein
> Cc: focus-ids () securityfocus com
> Subject: RE: NIPS Vendors explicit answer
>
>
> On Tue, 2004-04-27 at 10:39, Rob Shein wrote:
> > I can answer this fairly easily.  Bruce Schneier, among 
> other people, 
> > has been pointing out that the real measure of security is how 
> > gracefully it fails.
>
> I think that was in the context of "a failed component should 
> fail safe and not become a threat to others" as opposed to 
> "if a component fails, let's hope there is a second one catching it".

Actually, that's not what he meant.  He was referring to things like the
amount of damage caused when a component fails.  One example he described
was the case of a man who ran clear through the security checkpoint of an
airport terminal; as a result, they had to shut down the entire terminal,
affecting flights nationwide.  In this case, things failed safe, but it was
a disaster.  This was an example of security not failing gracefully.  His
recommendation was to have more security checkpoints, and have them places
so that each one covers a smaller section of the airport; that way a single
failure won't take down half of LaGuardia, LAX, or Dulles.

> >   In many large environments (like where I am right now) 
> there can be 
> > confusion as to who is responsible for which system; the system in 
> > question may go unpatched as a result.  When there's an IPS 
> on top of 
> > everything, it makes a big difference, because now you have another 
> > layer of defense to protect it.
>
> It seems that you have a failing/broken patch management 
> system. I would put resources towards fixing that instead of 
> adding yet another layer of band-aids (IPS).

Well, I don't see how I'm going to fix the fact that humans are involved,
and inherently prone to mistakes.  I'd have to show you the organizational
management changes to explain further, but this was not a technical failure
in my example.

> Don't get me wrong, I see where it is useful. But the 
> security community is starting to slap patches and products 
> on top of one another without fixing the real symptoms. We 
> are starting to believe that the mass of band-aids are a 
> strong rope. It's like Microsoft adding patches on top of 
> patches to fix broken patches while they should be going back 
> and fix the underlying root causes.

And while they're doing that (which they aren't, by the way), what are the
rest of us supposed to do in the meanwhile? :)

> I think the same is happening with IPS. They are the solution 
> to all problems, but not the cure. Yes, you protect your 
> network from known
> (signature) or vastly abnormal (flows) vulnerability abuse. 
> But the solution is only temporary unless it works, right? 
> I'm trying to highlight the danger that we might not address 
> the root causes (mainly fixing broken software, or broken 
> patch management, or lax access controls, etc).
>
> The security industry is becoming more reactive than 
> proactive. Heck, we're still reacting to viruses like we did 
> 20 years ago. We still haven't found a way to prevent them in 
> a proactive way. I think IPS will go the same route. With 
> IPSes in place, our priorities are changing towards other 
> issues and broken pieces are left in place because they are 
> (currently) not dangerous protected by an IPS. And we may 
> never go back to fix them because they don't pose as much of 
> a perceived threat anymore (as I was hinting with my 
> "complacent" comment earlier).

Bad people do bad things.  I don't know of any really proactive solution to
this fact that has ever been developed.  If you consider car alarms, locks
on doors, bulletproof glass, and burglar alarms to be reactive, then IPS is
reactive too.  If you consider them proactive, in that they are put in place
to forestall, prevent or deter an attack, then so is IPS.


---------------------------------------------------------------------------

---------------------------------------------------------------------------