RE: Checkpoint IPS

["Raymond Burkholder" <ray () oneunified net>]

> > But there's no overstating the usefulness of a properly-tuned IPS for
> > attack prevention
>
> I've never heard a plausible anecdote, much less seen meaningful
statistics,
> of these devices actually 'preventing' anything.

I think it depends upon where you put them, and whether or not you have
skilled people involved.  Given good placement, and experienced management,
I have seen the usefulness of these devices ... by personally reviewing the
logs and being the recipient of drop alerts of the devices in terms of what
they can reject.

> I have, however, run into many, many situations in which these devices
> demonstrably degraded the security posture of network operators,
> particularly when placed in front of servers or broadband access networks.
> For example, they're laughably easy to DDoS due to state exhaustion -
which
> is what is the main point of the presentation you reference.

Sometimes we get in to corner cases too easily where the negative is easily
applied.  Yes, they can be DDoS'd.  Yes they can be useless in the hands of
the unskilled and unknowing.

On the other hand, given good placement in strategic places, and maintained
appropriately, they can live up the their expectations.

> And the fact that well-known evasion techniques still work against these
> devices today, coupled with the undeniable proliferation of compromised
> hosts residing within networks supposedly 'protected' by these devices,
> militates against your proposition.

Well.... again, yes, they may not get all zero-day exploits.  That is
another corner case.  But they can certainly prevent getting hit by the same
old stuff over and over again.  I've seen drop rules for the Bash issue, and
the openssl issue put in place, and when implemented, prevent the further
spread of the malicious payloads.  There must some sort of value in that?



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.