Re: so, is I[dp]S a STUPID technology?

[Roland Dobbins <rdobbins () cisco com>]

The problem is avoiding becoming a DoS vector in and of itself.

On Oct 11, 2005, at 2:01 PM, Kyle Quest wrote:

> If we are talking about IPS I'd like to point out one little thing...
> It's not just about stopping exploits, but it's also about dealing
> with denial of service attacks. Having an IPS that blocks
> denial of service attacks is definitely valuable. It can make
> or break an ecommerce business. This is just one reason.
>
> Another reason... Things aren't always simple. There are times
> when you can't just install patches as soon as they are available.
> Different types of companies have different requirements for
> qualifying updates and patches. Sometimes it takes days.
> Sometimes it takes months. So what would you suggest for
> companies like that?
>
> Kyle
>
> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec- 
> bounces () linuxbox org]On
> Behalf Of Aviram Jenik
> Sent: Tuesday, October 11, 2005 5:38 PM
> To: funsec () linuxbox org
> Subject: Re: [funsec] so, is I[dp]S a STUPID technology?
>
>
> On Tuesday, 11 October 2005 21:50, Paul Schmehl wrote:
>
> > We're using TIppingpoint at the edge,
> > and I can assure you it's in blocking mode.  It's reduced the  
> > number of
> > attacks we were seeing by over two thirds.
> [...]
>
> > some of
> > us have to actually deal with the crap floating around in the ether
>
> See, this is what I don't get. I can understand the bored people  
> (sorry Gadi)
> who want to log and monitor who attacks them and why. I _can't_  
> understand
> the busy people who are actually protecting their network, spending  
> their
> time and money on silly IDS solutions.
>
> So you blocked 2/3 of the attacks. So what?
>
> Either those attacks were directed at vulnerabilities you have on your
> network, or they were futile attacks for services you have patched.
> If the second is true - why do you care? 0 successful attacks out  
> of 1,000 is
> equivalent to 0 out of 3,000.
>
>  If the first is true, how do you know there wasn't a successful  
> attack in
> that 1/3 that wasn't blocked by the IDS? Surely you don't want to  
> roll the
> dice with those odds.
>
> True, no solution is perfect, but Paul - why won't you use your IDS/ 
> IPS
> budget, and the time you spent configuring and installing it, in  
> running a
> vulnerability scanner at regular basis (automatically, hopefully)  
> and install
> a decent patch management system to make sure your systems are up  
> to date?
>
> I'm not trying to be argumentative - I'm seriously trying to  
> understand the
> logic. I must be missing something here.
>
> - Aviram
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

-------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things.

                      -- Doug Gwyn
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.