Re: IPS arguments

[Micheal Cottingham <techie.micheal () gmail com>]

Touche. :)

But ... I'll argue that if hardening and least-privilege isn't
followed, is it really defense in depth? Just thought I'd throw that
out there.

On Tue, Mar 3, 2009 at 7:45 PM, JoePete <security-focus () joepete com> wrote:
> Here's Catch-22: If we really believed in "defense in-depth," then would
> we need IPS to begin with?
>
> With rare exception, the problem is, for whatever reason, we have
> implemented systems throughout an organization with far too many
> vulnerabilities and permissions. If we believed in defense in-depth,
> then we would also believe in least privilege, but clearly the fact that
> every secretary in America is on Yahoo Messenger, MySpace, etc. means
> that we skipped right over that. So too is it that the most popular
> combination of OS and browser in corporate America is a perfect storm of
> infosec vulnerability, but we roll out 20,000-plus networks of these
> combinations because ... well that's the question, why do we do it?
>
> Since we have punted on the individual systems that comprise the
> network, we throw everything we have at the perimeter. Invariably when
> someone gets through the perimeter and has free run inside the network.
> Rather than fixing the network, we just look for another appliance to
> layer on at the perimeter. Defense in-depth is a nice a concept, but as
> applied, it more often than not becomes defense via duct tape -- just
> keep slapping on another piece rather than fixing what's underneath.
> IMHO :-)
>
> --
> JoePete