IDS mailing list archives
Re: ISS - virtual patching
From: "David Maynor" <dmaynor () gmail com>
Date: Sat, 22 Jul 2006 09:29:28 -0400
You are making some assumptions here: 1. You find out about the vuln the same time ISS does. Due to excellent threat intelligent and a top notch Research and Development team they are likely to know about the threat long before you do. 2. The fact that a security vendor actually has the ability to test traffic in the wild is pretty impressive and should be considered the standard. Protocols are updated all the time, traffic changes constantly, the only way to make sure you are hitting the bad traffic and not blocking the good is real world testing. Since I use to be in R&D at ISS there I will say 8 weeks is a bit much, but the sig soak in periods are more than enough to shake alot of false positives out. On 11 Jul 2006 14:34:41 -0000, phb () gmail com <phb () gmail com> wrote:
I was at an ISS event (but I guess it applies to all IPS vendors) where they said after a signature is written they QA it to prevent false positives, for about 8 weeks in the wild. It sounded a little counter productive to the "virtual patching" claims, since that often means the protection comes in after I've already patched the system. I agree I wouldn't deploy prevention prior to being sure it'll not cause a DoS to the network (or at all until this technology matures a little more), but with this attitude what is the IPS virtual patch hype all about? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- ISS - virtual patching phb (Jul 12)
- Re: ISS - virtual patching David Maynor (Jul 24)
- Re: ISS - virtual patching Stefano Zanero (Jul 27)
- <Possible follow-ups>
- Re: ISS - virtual patching john (Jul 21)
- Re: Re: ISS - virtual patching David Maynor (Jul 24)
- Re: ISS - virtual patching thunking (Jul 21)
- RE: ISS - virtual patching Palmer, Paul (ISSAtlanta) (Jul 24)
- RE: ISS - virtual patching Palmer, Paul (ISSAtlanta) (Jul 24)
- RE: ISS - virtual patching Palmer, Paul (ISSAtlanta) (Jul 25)
- Re: ISS - virtual patching David Maynor (Jul 24)