Re: IPS arguments

["Webmaster 003" <webmaster () networkdefense biz>]

IPS can be used strategically in areas that you have subnetted, and then  
the cost factor for implementation would be negligable, even if you are  
using a comercial IPS.  Yes, you would have to get your client's sys admin  
some training in writing their own IPS rules.  Some companies are able to  
dictate how their software is coded, but most companies buy COTS and then  
are invested in the software they have learned how to use.  For us to be  
"Should-ing" all over our clients does not further the goal of protecting  
their networks.  Isn't Snort still available for free?

If we use Snort, can't we drive some acceptance in the eyes of our clients?
http://www.uno-code.com/?q=node/59 <-- an article on Snort as IPS.   
Written for gentoo-linux but easily adjustable to some other linux



On Fri, 27 Feb 2009 02:11:18 -0500, Trygve Aasheim <trygve () pogostick net>  
wrote:

> I agree, and disagree.
>
> An IPS does a lot more than protect against exploits.
> And of course, all people should behave well, all developers should  
> write secure code, all patches should be installed and everybody should  
> respect eachother in traffic on their way to work.
>
> The world isn't like that, but it is a good thought.
>
> Users will always try "something", developers will always make mistakes  
> from time to time, patches might not arrive in time to protect against  
> threats (ref. Adobe these days) and the world is a place for people who  
> think about themselves first. Sorry. But then...that might be a good  
> thing. It's why we have a pay check  ;)
>
> What can an IPS system give you?
> How about monitoring and blocking typical back connections from bots?  
> Shellcode being sent over the network? The use of remote desktop tools  
> from outside your network (logmein etc)? SSH over other ports than 22? A  
> lightweight DLP solution? etc etc etc (a typical IPS usually have  
> hundreds of different signatures/filters etc for stuff like this)
>
> I'm not saying that your points ain't valid, and this is not black/white  
> - but an IPS is a lot more than just detecting exploit attempts.
>
> Regards,
> T
>
> Danny Fullerton skrev:
> > Personally, from my experience,
> >  IPS should not be the main technology to think of when in come to
> > improving security. I seen a lot more ROSI on getting better secure
> > development cycle, tight patching process and selecting more `secure by
> > design` technologies (memory protection, java instead of c++, avoid
> > Windows when possible, buy software from security oriented company and
> > do some pen test on those application, etc) then implementing those
> > complicated IPS system. For sure, an IPS might be a good thing if all
> > the above is already covered and you still have some money to invest but
> > it should not be the first thing to think of.
> >  regards,



--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/