Re: Checkpoint IPS

[Michael Hallgren <m.hallgren () free fr>]

Le 05/02/2015 14:15, jim deleskie a écrit :
> mh,

Hi there Jim :-)

>  you know that forcing traffic to be symmetrical is evil,

Voilà !

> and while backbone traffic and inspection don't play nice, there are
> very legit reasons why, in many cases edge traffic must be open for
> inspection.

Yes, right, often some such `control' is on wish-lists.

>   I'm on my way to the office, feel free to ping me if you want to
> discuss.  Or maybe I could use it as a reason to come visit  its been
> a while since we've had a chance to vis-a-vis :)

With pleasure! Yes, too long time... TTYS,

mh
> -jim
>
> On Thu, Feb 5, 2015 at 8:57 AM, Terry Baranski
> <terry.baranski.list () gmail com <mailto:terry.baranski.list () gmail com>>
> wrote:
>
>     On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
>     > Le 04/02/2015 17:19, Roland Dobbins a écrit :
>     >>
>     >> Real life limitations?
>     >> https://app.box.com/s/a3oqqlgwe15j8svojvzl
>     >
>     > Right ;-) Among many other nice ones, I like:
>     >
>     > `` ‘IPS’ devices require artificially-engineered topological
>     symmetry-
>     > can have a negative impact on resiliency via path diversity.''
>
>     Dang, I thought this quote was from an April 1st RFC when I first
>     read it.
>
>     I hate to be the bearer of bad news, but everything we do is
>     "artificial".
>     There are no routers in nature, no IP packets, no fiber optics.
>     There is no
>     such thing as "natural engineering" -- engineering is "artificial" by
>     definition.
>
>     So when you're configuring artificially-engineered protocols on your
>     artificially-engineered router so that your
>     artificially-engineered network
>     can transmit artificially-engineered packets, adding some extra
>     artificially-engineered logic to enforce symmetry won't break the
>     bank, I
>     promise. And when done properly it has absolutely no impact on
>     resilience
>     and path diversity, and will do you all the good in the world from a
>     troubleshooting perspective (those of you who operate networks).
>
>     The whole presentation is frankly just odd to me. It looks at one
>     specific
>     CND thread (DDoS), and attempts to address it by throwing out the
>     baby with
>     the bathwater. It says to eliminate state at all costs, but then
>     at the end
>     advocates for reverse proxies -- which are stateful, and which
>     therefore
>     create the same "problems" as firewalls and IPSs.
>
>     The idea of ripping out firewall/IPS devices and replacing them
>     with router
>     ACLs is something that, if I were an attacker, I would definitely
>     encourage
>     all of my targets to do. Firewalls aren't so much the big issue --
>     one can
>     theoretically use router ACLs for basic L3/L4 blocks, though they
>     scale
>     horribly from an O&M perspective, are more prone to configuration
>     errors,
>     and their manageability is poor. But there's no overstating the
>     usefulness
>     of a properly-tuned IPS for attack prevention, and the comment in
>     the brief
>     comparing an IPS to "[Having] your email client set to alert you
>     to incoming
>     mail" is so bizarre that I wouldn't even know how to counter it.
>
>     (I know you're out there Roland and my intention isn't to get into
>     a big
>     thing with you. But the artificial-engineering thing gave me a
>     chuckle.)
>
>     On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
>     > Le 05/02/2015 08:01, Roland Dobbins a écrit :
>     >>
>     >> The real question is, why 'inspect', at all?
>     >
>     > Yes, that's an even more interesting discussion!
>
>     Only if your assets aren't targets. :-)
>
>     -Terry