Re: so, is I[dp]S a STUPID technology?

[Paul Schmehl <pauls () utdallas edu>]

--On Tuesday, October 11, 2005 23:38:29 +0200 Aviram Jenik 
<aviram () beyondsecurity com> wrote:

> On Tuesday, 11 October 2005 21:50, Paul Schmehl wrote:
> > We're using TIppingpoint at the edge,
> > and I can assure you it's in blocking mode.  It's reduced the number of
> > attacks we were seeing by over two thirds.
> [...]
> > some of
> > us have to actually deal with the crap floating around in the ether
>
> See, this is what I don't get. I can understand the bored people (sorry
> Gadi)  who want to log and monitor who attacks them and why. I _can't_
> understand  the busy people who are actually protecting their network,
> spending their  time and money on silly IDS solutions.
>
> So you blocked 2/3 of the attacks. So what?
>
> Either those attacks were directed at vulnerabilities you have on your
> network, or they were futile attacks for services you have patched.
> If the second is true - why do you care? 0 successful attacks out of
> 1,000 is  equivalent to 0 out of 3,000.
What if I *do* have a vulnerability and the IPS blocked the attack?  Then 
I'm ahead of the game.

>  If the first is true, how do you know there wasn't a successful attack
> in  that 1/3 that wasn't blocked by the IDS? Surely you don't want to
> roll the  dice with those odds.
I'm in edu.  We roll the dice every day.  :-)

> True, no solution is perfect, but Paul - why won't you use your IDS/IPS
> budget, and the time you spent configuring and installing it, in running
> a  vulnerability scanner at regular basis (automatically, hopefully) and
> install  a decent patch management system to make sure your systems are
> up to date?
If you can recommend an *enterprise* capable vulnerability scanner (IOW one 
that I can schedule massive scanning events for a class A *and* class B 
network and then go look at the results when I have time) that doesn't cost 
more than my annual budget, then please do.  I can guarantee you ISS is 
*not* it, and we spent a fortune (as fortunes go in edu) on the damn thing. 
It's completely worthless.  I can't even successfully scan nine webservers 
with the damn thing.

Nessus?  Nessus is useful on a one-off basis, but I need a vuln scanner 
that will work in the background, 24/7 and generate *useful* reports that 
tell me where my problems are.  I'm not aware of one that does that that I 
can afford.  Are you?

> I'm not trying to be argumentative - I'm seriously trying to understand
> the  logic. I must be missing something here.
I think you are.  And I'm not trying to be argumentative either.  We all 
learn from each other because each of us have different skill sets and 
different exposures that color our outlooks.

In edu, I cannot guarantee you, even if I could five minutes ago, that I 
don't have vulnerabilities on my network.  They come and go as fast as the 
students and faculty do.  (Staff I can pretty much control.)  What doesn't 
exist on my network now may well exist tomorrow.  So, an IPS that blocks 
known attacks at the edge gives me an extra layer of protection against the 
idiots inside.  It's as simple as that.

I could tell you stories, but you don't have the time, and neither do I. 
Suffice it to say that I'm vulnerable 100% of the time *somewhere* in my 
network, and I don't know it, because they *just* plugged the damn thing 
in.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.