RE: so, is I[dp]S a STUPID technology?

["Dave Hawkins" <DaveH () Radware com>]

At the very least, that 2/3's that was blocked is bandwidth that isn't
used up on the inside of the network.  Sure, it still soaked up some
useage on the main pipe inbound, but it didn't get anywhere afterwards.

Since I'm an IPS vendor, pardon my bias.  But let me give you two
examples of how we helped some people, and justified our existence in
their network:

1.) Major DNS host constantly being threatened with DDoS attacks.  They
have huge pipes inbound, but even with tons of load balancing the
servers were getting squished.  Our device goes in front of the server
farm and things are much better.

2.) Major carrier in an unnamed Asian country sees that a whopping 60%
of their bandwidth is propogation of a known worm.  This is their
customers trying to infect one another.  Our device goes in place and
cleans it up, stopping it between segments and preventing it from
getting out their internet pipe (thus saving them $$).

Sure, there will always be successful attacks that aren't blocked or
reported.  But in a lot of cases, blocking 2/3's of something is better
than blocking nothing and smugly relying on vuln scanners.  In the case
of carriers, they can't scan their clients, and even if they could, they
can't force them to get the appropriate patches/updates.

...just my two cents.

-Dave


-----Original Message-----
From:  Aviram Jenik

See, this is what I don't get. I can understand the bored people (sorry
Gadi) who want to log and monitor who attacks them and why. I _can't_
understand the busy people who are actually protecting their network,
spending their time and money on silly IDS solutions.

So you blocked 2/3 of the attacks. So what?

Either those attacks were directed at vulnerabilities you have on your
network, or they were futile attacks for services you have patched.
If the second is true - why do you care? 0 successful attacks out of
1,000 is equivalent to 0 out of 3,000.

 If the first is true, how do you know there wasn't a successful attack
in that 1/3 that wasn't blocked by the IDS? Surely you don't want to
roll the dice with those odds.

True, no solution is perfect, but Paul - why won't you use your IDS/IPS
budget, and the time you spent configuring and installing it, in running
a vulnerability scanner at regular basis (automatically, hopefully) and
install a decent patch management system to make sure your systems are
up to date?

I'm not trying to be argumentative - I'm seriously trying to understand
the logic. I must be missing something here.

- Aviram


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.