Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPS arguments

From: Micheal Cottingham <techie.micheal () gmail com>
Date: Sun, 1 Mar 2009 01:06:33 -0500
I like to think that an IPS, regardless of what vendor you use, as a
"virtual patch." That is, it buys you some time until you can get
those lovely patches tested and rolled out over a 20k+ PC environment.
;) An IPS is not, and should not, be the be all and end all, which is
why in my earlier email I mentioned defense in-depth.

I absolutely think IPSs have their place in the enterprise, but
anybody that thinks IPSs are going to solve all their problems needs
to rethink their strategies. :)

Micheal

On Fri, Feb 27, 2009 at 2:11 AM, Trygve Aasheim <trygve () pogostick net> wrote:

I agree, and disagree.

An IPS does a lot more than protect against exploits.
And of course, all people should behave well, all developers should write
secure code, all patches should be installed and everybody should respect
eachother in traffic on their way to work.

The world isn't like that, but it is a good thought.

Users will always try "something", developers will always make mistakes from
time to time, patches might not arrive in time to protect against threats
(ref. Adobe these days) and the world is a place for people who think about
themselves first. Sorry. But then...that might be a good thing. It's why we
have a pay check  ;)

What can an IPS system give you?
How about monitoring and blocking typical back connections from bots?
Shellcode being sent over the network? The use of remote desktop tools from
outside your network (logmein etc)? SSH over other ports than 22? A
lightweight DLP solution? etc etc etc (a typical IPS usually have hundreds
of different signatures/filters etc for stuff like this)

I'm not saying that your points ain't valid, and this is not black/white -
but an IPS is a lot more than just detecting exploit attempts.

Regards,
T

Danny Fullerton skrev:


Personally, from my experience,

IPS should not be the main technology to think of when in come to
improving security. I seen a lot more ROSI on getting better secure
development cycle, tight patching process and selecting more `secure by
design` technologies (memory protection, java instead of c++, avoid
Windows when possible, buy software from security oriented company and
do some pen test on those application, etc) then implementing those
complicated IPS system. For sure, an IPS might be a good thing if all
the above is already covered and you still have some money to invest but
it should not be the first thing to think of.

regards,
Previous By Date Next
Previous By Thread Next

Current thread: