Re: IPS arguments

[Trygve Aasheim <trygve () pogostick net>]

I agree, and disagree.

An IPS does a lot more than protect against exploits.
And of course, all people should behave well, all developers should 
write secure code, all patches should be installed and everybody should 
respect eachother in traffic on their way to work.

The world isn't like that, but it is a good thought.

Users will always try "something", developers will always make mistakes 
from time to time, patches might not arrive in time to protect against 
threats (ref. Adobe these days) and the world is a place for people who 
think about themselves first. Sorry. But then...that might be a good 
thing. It's why we have a pay check  ;)

What can an IPS system give you?
How about monitoring and blocking typical back connections from bots? 
Shellcode being sent over the network? The use of remote desktop tools 
from outside your network (logmein etc)? SSH over other ports than 22? A 
lightweight DLP solution? etc etc etc (a typical IPS usually have 
hundreds of different signatures/filters etc for stuff like this)

I'm not saying that your points ain't valid, and this is not black/white 
- but an IPS is a lot more than just detecting exploit attempts.

Regards,
T

Danny Fullerton skrev:
> Personally, from my experience,
>
> IPS should not be the main technology to think of when in come to
> improving security. I seen a lot more ROSI on getting better secure
> development cycle, tight patching process and selecting more `secure by
> design` technologies (memory protection, java instead of c++, avoid
> Windows when possible, buy software from security oriented company and
> do some pen test on those application, etc) then implementing those
> complicated IPS system. For sure, an IPS might be a good thing if all
> the above is already covered and you still have some money to invest but
> it should not be the first thing to think of.
>
> regards,