Penetration Testing mailing list archives
Re: IPS arguments
From: "Webmaster 003" <webmaster () networkdefense biz>
Date: Fri, 27 Feb 2009 10:17:01 -0500
IPS can be used strategically in areas that you have subnetted, and then the cost factor for implementation would be negligable, even if you are using a comercial IPS. Yes, you would have to get your client's sys admin some training in writing their own IPS rules. Some companies are able to dictate how their software is coded, but most companies buy COTS and then are invested in the software they have learned how to use. For us to be "Should-ing" all over our clients does not further the goal of protecting their networks. Isn't Snort still available for free?
If we use Snort, can't we drive some acceptance in the eyes of our clients?http://www.uno-code.com/?q=node/59 <-- an article on Snort as IPS. Written for gentoo-linux but easily adjustable to some other linux
On Fri, 27 Feb 2009 02:11:18 -0500, Trygve Aasheim <trygve () pogostick net> wrote:
I agree, and disagree. An IPS does a lot more than protect against exploits.And of course, all people should behave well, all developers should write secure code, all patches should be installed and everybody should respect eachother in traffic on their way to work.The world isn't like that, but it is a good thought.Users will always try "something", developers will always make mistakes from time to time, patches might not arrive in time to protect against threats (ref. Adobe these days) and the world is a place for people who think about themselves first. Sorry. But then...that might be a good thing. It's why we have a pay check ;)What can an IPS system give you?How about monitoring and blocking typical back connections from bots? Shellcode being sent over the network? The use of remote desktop tools from outside your network (logmein etc)? SSH over other ports than 22? A lightweight DLP solution? etc etc etc (a typical IPS usually have hundreds of different signatures/filters etc for stuff like this)I'm not saying that your points ain't valid, and this is not black/white - but an IPS is a lot more than just detecting exploit attempts.Regards, T Danny Fullerton skrev:Personally, from my experience, IPS should not be the main technology to think of when in come to improving security. I seen a lot more ROSI on getting better secure development cycle, tight patching process and selecting more `secure by design` technologies (memory protection, java instead of c++, avoid Windows when possible, buy software from security oriented company and do some pen test on those application, etc) then implementing those complicated IPS system. For sure, an IPS might be a good thing if all the above is already covered and you still have some money to invest but it should not be the first thing to think of. regards,
-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Current thread:
- Re: IPS arguments, (continued)
- Re: IPS arguments Javier Reyna (Feb 20)
- Re: IPS arguments arvind doraiswamy (Feb 20)
- Re: IPS arguments Esteban Farao (Feb 20)
- Re: IPS arguments JiPi DiNi (Feb 20)
- RE: IPS arguments Shenk, Jerry A (Feb 20)
- Re: IPS arguments M.D.Mufambisi (Feb 20)
- Re: IPS arguments Micheal Cottingham (Feb 22)
- Re: IPS arguments Danny Fullerton (Feb 22)
- Re: IPS arguments Javier Reyna (Feb 26)
- Re: IPS arguments Trygve Aasheim (Feb 27)
- Re: IPS arguments Webmaster 003 (Feb 27)
- Re: IPS arguments Keith Pasley Com6 (Feb 22)
- Re: IPS arguments David Howe (Feb 22)
- RE: IPS arguments JoePete (Feb 22)
- Re: IPS arguments Adriel T. Desautels (Feb 26)
- Re: IPS arguments kellstr (Feb 20)