Re: so, is I[dp]S a STUPID technology?

[Aviram Jenik <aviram () beyondsecurity com>]

On Tuesday, 11 October 2005 21:50, Paul Schmehl wrote:
> We're using TIppingpoint at the edge,
> and I can assure you it's in blocking mode.  It's reduced the number of
> attacks we were seeing by over two thirds.
[...]
> some of
> us have to actually deal with the crap floating around in the ether

See, this is what I don't get. I can understand the bored people (sorry Gadi) 
who want to log and monitor who attacks them and why. I _can't_ understand 
the busy people who are actually protecting their network, spending their 
time and money on silly IDS solutions.

So you blocked 2/3 of the attacks. So what?

Either those attacks were directed at vulnerabilities you have on your 
network, or they were futile attacks for services you have patched.
If the second is true - why do you care? 0 successful attacks out of 1,000 is 
equivalent to 0 out of 3,000.

 If the first is true, how do you know there wasn't a successful attack in 
that 1/3 that wasn't blocked by the IDS? Surely you don't want to roll the 
dice with those odds.

True, no solution is perfect, but Paul - why won't you use your IDS/IPS 
budget, and the time you spent configuring and installing it, in running a 
vulnerability scanner at regular basis (automatically, hopefully) and install 
a decent patch management system to make sure your systems are up to date?

I'm not trying to be argumentative - I'm seriously trying to understand the 
logic. I must be missing something here.

- Aviram

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.