Firewall Wizards mailing list archives
RE: IPS (was: Sources for Extranet Designs?)
From: Paul Robertson <proberts () patriot net>
Date: Thu, 26 Feb 2004 18:02:10 -0500 (EST)
On Thu, 26 Feb 2004, Marcus J. Ranum wrote:
Can you explain how these "signatures" and "protocol anomaly" detectors and "behavior and flow capabilities" are going to NOT suffer all the problems with false positives that caused Gartner to announce that IDS was a failure?
It's worse, IMO- I think IPS is the loss of default deny/principle of least priv. - so rather than strengthening rulesets to stop more bad stuff, we're back to the "prove it's bad, then we block it" mentality- that's never worked for security before, and I don't see how it's going to work now. It's no wonder proponents are touting universities (apologies to the .edu admins on this list who've overcome those battles the hard way)- where the prove it bad mentality has had it's best survival rate. Now that we've actually gotten back to the point where firewalls are capable of doing application layer decisions, it seems rather silly to toss that back out again and go with yet-another-miracle. The only thing something like network IPS gets you over a tradtional firewall is the ability to catch some of the tunnel-over-everything protocols- and you can do that with a lot of modern firewalls (and could have written it in to lots of older ones.) Why do management layer folks have such a preference for reactive rather than proactive security? In today's environment, we've actually gotten to the point where proactive security's palatable- why all the backpedaling?
(* With apologies to my horse P-nut who doesn't read this list.
Hey, he's welcome to subscribe- anyway maybe he can partner with the cat and test IPS systems? :-P Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IPS (was: Sources for Extranet Designs?) Stiennon,Richard (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- <Possible follow-ups>
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS Gary Flynn (Feb 26)
- Re: Re: IPS David Thiel (Feb 26)
- Re: Re: IPS Gary Flynn (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 29)