IDS mailing list archives
Re: IDS\IPS that can handle one Gig
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 07 Jun 2005 15:59:24 -0500
On Tue, 2005-06-07 at 21:06 +0530, Control Zed wrote:
Sometimes it may not be possible to patch critical servers simply because you can't afford the downtime or you don't know if the patches would break other critical applications or software.
If downtime is important, surely there are redundancies in place. You should be able to take one set, patch it, verify it, and put it back in production, and then repeat the same with the second set. (Of course you have the whole thing already tested in your test environment...right?) Any company that does not have the capability of working on one half of a redundant setup, or doesn't even have a redundant setup, doesn't have a test-bed, still hasn't properly addressed handling critical servers or dealing with redundancy and downtime issues. Shops without redundant capabilities have other problems that need to be addressed first. After all, availability is an important leg of most security mantras.
So if you know the vulnerability and the way it can be exploited, you can protect it till you can find time to patch it. Nothing wrong in this approach.
Except for "finding time". The risk is that people will brush applying patches aside to deal with other more important issues (like fixing non-redundant servers). It's the same thing with input validation during code development. Yeah, developers know about it, but they just don't have the time to properly implement it. I think relying on IPSes to buy time for patch installation will do the same thing. Why patch today when you can wait a month and roll up several patches at once? Peter and Vikram were referring to finding a balance between these VM and IPS. However, it is not an either-or situation. If you have an IPS in place, and even if you don't have any vulnerability management software in place, you still have to balance the patching issue. I'm just highlighting the danger that if you have one or both in place, people might become complacent with actually fixing the vulnerabilities. If you don't have to right away, but could patch systems at your leisure, would you do it? If you don't have to right away, but could implement input validation after the fact, would you do it? Principle and "correctness" get often compromised for $EXCUSE. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: IDS\IPS that can handle one Gig Andrew Plato (Jun 01)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 07)
- Re: IDS\IPS that can handle one Gig Control Zed (Jun 07)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 08)
- Re: IDS\IPS that can handle one Gig Terry Vernon (Jun 08)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- <Possible follow-ups>
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 01)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 05)
- Re: IDS\IPS that can handle one Gig Per Engelbrecht (Jun 01)
- RE: IDS\IPS that can handle one Gig Prashant Khandelwal (Jun 01)
- RE: IDS\IPS that can handle one Gig THolman (Jun 01)
- Re: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)