nanog mailing list archives
RE: Checkpoint IPS
From: "Raymond Burkholder" <ray () oneunified net>
Date: Thu, 5 Feb 2015 13:38:13 -0400
But there's no overstating the usefulness of a properly-tuned IPS for attack preventionI've never heard a plausible anecdote, much less seen meaningful
statistics,
of these devices actually 'preventing' anything.
I think it depends upon where you put them, and whether or not you have skilled people involved. Given good placement, and experienced management, I have seen the usefulness of these devices ... by personally reviewing the logs and being the recipient of drop alerts of the devices in terms of what they can reject.
I have, however, run into many, many situations in which these devices demonstrably degraded the security posture of network operators, particularly when placed in front of servers or broadband access networks. For example, they're laughably easy to DDoS due to state exhaustion -
which
is what is the main point of the presentation you reference.
Sometimes we get in to corner cases too easily where the negative is easily applied. Yes, they can be DDoS'd. Yes they can be useless in the hands of the unskilled and unknowing. On the other hand, given good placement in strategic places, and maintained appropriately, they can live up the their expectations.
And the fact that well-known evasion techniques still work against these devices today, coupled with the undeniable proliferation of compromised hosts residing within networks supposedly 'protected' by these devices, militates against your proposition.
Well.... again, yes, they may not get all zero-day exploits. That is another corner case. But they can certainly prevent getting hit by the same old stuff over and over again. I've seen drop rules for the Bash issue, and the openssl issue put in place, and when implemented, prevent the further spread of the malicious payloads. There must some sort of value in that? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- RE: Re: Checkpoint IPS, (continued)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Ca By (Feb 07)
- Re: Checkpoint IPS BPNoC Group (Feb 08)
- Re: Checkpoint IPS Roland Dobbins (Feb 08)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Checkpoint IPS Raymond Burkholder (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Terry Baranski (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Joel Maslak (Feb 06)
- Re: Checkpoint IPS Michael Hallgren (Feb 05)