funsec mailing list archives

RE: so, is I[dp]S a STUPID technology?

From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Tue, 11 Oct 2005 17:50:31 -0400

Of course, there's a risk. That's why
you need to test available solutions in
your environment first to see if it works
for you. In general, IPS is not the only
DoS vector in that case. The rest of the network
infrastructure have similar problems
(e.g. routers/switches or the uplink to the service
provider). As of now, none of the IPS solutions
can provide absolute protection from flood attacks. 
All of them have a breaking point, but that's another
reason to do your homework/math and deploy the
solutions that actually fits your network needs.


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]On
Behalf Of Roland Dobbins
Sent: Tuesday, October 11, 2005 5:14 PM
To: funsec () linuxbox org
Subject: Re: [funsec] so, is I[dp]S a STUPID technology?



The problem is avoiding becoming a DoS vector in and of itself.

On Oct 11, 2005, at 2:01 PM, Kyle Quest wrote:

If we are talking about IPS I'd like to point out one little thing...
It's not just about stopping exploits, but it's also about dealing
with denial of service attacks. Having an IPS that blocks
denial of service attacks is definitely valuable. It can make
or break an ecommerce business. This is just one reason.

Another reason... Things aren't always simple. There are times
when you can't just install patches as soon as they are available.
Different types of companies have different requirements for
qualifying updates and patches. Sometimes it takes days.
Sometimes it takes months. So what would you suggest for
companies like that?

Kyle

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec- 
bounces () linuxbox org]On
Behalf Of Aviram Jenik
Sent: Tuesday, October 11, 2005 5:38 PM
To: funsec () linuxbox org
Subject: Re: [funsec] so, is I[dp]S a STUPID technology?


On Tuesday, 11 October 2005 21:50, Paul Schmehl wrote:

We're using TIppingpoint at the edge,
and I can assure you it's in blocking mode.  It's reduced the  
number of
attacks we were seeing by over two thirds.

[...]

some of
us have to actually deal with the crap floating around in the ether


See, this is what I don't get. I can understand the bored people  
(sorry Gadi)
who want to log and monitor who attacks them and why. I _can't_  
understand
the busy people who are actually protecting their network, spending  
their
time and money on silly IDS solutions.

So you blocked 2/3 of the attacks. So what?

Either those attacks were directed at vulnerabilities you have on your
network, or they were futile attacks for services you have patched.
If the second is true - why do you care? 0 successful attacks out  
of 1,000 is
equivalent to 0 out of 3,000.

 If the first is true, how do you know there wasn't a successful  
attack in
that 1/3 that wasn't blocked by the IDS? Surely you don't want to  
roll the
dice with those odds.

True, no solution is perfect, but Paul - why won't you use your IDS/ 
IPS
budget, and the time you spent configuring and installing it, in  
running a
vulnerability scanner at regular basis (automatically, hopefully)  
and install
a decent patch management system to make sure your systems are up  
to date?

I'm not trying to be argumentative - I'm seriously trying to  
understand the
logic. I must be missing something here.

- Aviram

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


-------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things.

                       -- Doug Gwyn
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: so, is I[dp]S a STUPID technology?, (continued)
- - - RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 12)
    - RE: so, is I[dp]S a STUPID technology? Barrie Dempster (Oct 13)
    - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 13)
    - RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - lalala [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
    - Re: lalala [was: Re: so, is I[dp]S a STUPID technology?] Valdis . Kletnieks (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
  - IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Young, Keith (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Dave Hawkins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 13)