Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection

["Cor Rosielle" <cor () outpost24 com>]

Nelson,

I put my comments inline as well

Regards, Cor

...snip... 
> > Nelson,
> >
> > > You're missing one point: Host IPS MUST be deployed with any Network
> > > Security (Firewalls os NIPSs).
> > Please be aware this is a risk decision and not a fact. I don't use
> > an host IPS and no anti Virus either. Still I'm sure my laptop is
> > perfectly safe. This is because I do critical thinking about
> > security measures and don't copy behavior of others (who often don't
> > think for themselves and just copies other peoples behavior). Please
> > note I'm not saying you're not thinking. If you did some critical
> > thinking and an host IPS is a good solution for you, then that's OK>
> > It just doesn't mean it is a good solution for everybody else and
> > everybody MUST deploy an host IPS.
>
> That's so 1990! NIPS and/or Firewall just protect you if you're inside
> the "borders"... But, come on. Who doesn't have a laptop nowadays? So,
> multiple protection layers is better than none, anyways.
Even one layer is better than none :-). Multiple layers are even better, especially when they are different types of 
protection. But applying security without thinking is bad. Even if you have enough money and hardware to spent, you 
should at least think about the balance between the amount security you get and the amount of risk you run when 
installing another piece of software. Then you can decide if it is worth the money or hardware you need to spend.

> You have choices when adopting a security posture or, if you prefer,
> risk posture. I believe that it's quite difficult and almost
> impossible you stay updated with all the threads, due to exponential
> growth of them.
You have a point here. That's why it is better not to base security on defenses to known and existing threats alone, 
but use defense mechanisms that protect you both against known and existing threats and against unknown and future 
threats as well. I can't help to mention the OSSTMM again, because this is pretty much what it is about.

> > > No security solution/technology is the miracle protection alone,
> > That's true.
> >
> > > so that's the reason everybody is talking about defense in depth.
> > Defense in depth is often used for another line of a similar defense
> > mechanism as the previous already was. Different layers of defense
> > works best if the defense mechanism differ. So if you're using anti
> > virus software (which gives you an authentication control and an
> > alarm control according to the OSSTMM), then an host IDS is not the
> > best additional security measure (because this also gives you an
> > authentication and an alarm control).
>
> Woowoo.. I cannot agree with you, because AV has nothing to do
> protecting end-point against network attacks. AV will alert and
> protect only when the thread already reached your end-point. Besides,
> there are other layers, such as: buffer overflow protection inside
> HIPS. Look that I am not talking abous IDS. 8)
Sure you're right about that. There is a lot of other threats AV doesn't protect you to. Just like an IPS doesn't 
protect you against all threats. But that doesn't mean it is a wise decision to install each and every part of security 
software you can get, because software comes with costs and risks too. This is true for IPS's too.

> > This would also be a risk decision, but based on facts and the rules
> > defined in the OSSTMM and not based on some marketing material. You
> > should give it a try.
>
> It always is a risk decision, and I not basing MHO on any "standard",
> that's based on my background... And, AFAIK, nodoby can expect that
> users and/or server systems will be able to apply all or any update in
> a huge environment.

Of course you don't have to agree, but I think it is better to be critical about the software you install. And if you 
don't agree and rather spend your money on things that were useful for someone else at another time and under different 
circumstances, then just do that. But I wish you wouldn't write that others must (you wrote it even in capitals) deploy 
an IPS.

Regards,
Cor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/