RE: Re: Checkpoint IPS

["Darden, Patrick" <Patrick.Darden () p66 com>]

IPSes are like any security technology, they are only as good as their implementor/administrator.  I've seen some 
installations just set up defaults and leave them that way without any maintenance nor much oversight of alarms.  I've 
even seen some that do 0-day implementation of new signatures, and get some legitimate or even ALL traffic blocked by a 
bad signature (Astaro/Sophos UTM) update back in ~2004.  

On the other hand, I've seen some great implementations--some of which did a FANTASTIC job of making a network 
auditable, some of which made a network less liable legally and financially, and quite a few that made a network more 
secure.

To me, the big drawback of an IPS is, no matter how well integrated, implemented, and maintained--it's fundamental 
nature is flawed.  Instead of default-deny with white lists, it is default-allow with black lists.  It will always lag 
behind.  It will always allow infinitely large holes.  That's why I prefer an OSI complete firewall instead, or else an 
IPS in detect mode only, or in certain cases an IPS used in a specific case, e.g. a WAF or SAF for a 
server/application/zone that is specifically fuzzy or will not adhere to security principles (vendor demilitarized 
zones, enclaves, whatever the buzz-word is at the moment).

I understand the whole argument against state, and dismiss it.  That's throwing the baby out with the bathwater.  It 
isn't perfect, it can be overcome via DDOS and saturation, so we should get rid of it.  Tanks can be destroyed by 
bazookas, whatever.  Tanks are still useful in the battlefield if utilized properly.  Firewalls and IPSes are the same 
way.

--p