funsec mailing list archives
RE: so, is I[dp]S a STUPID technology?
From: "Dave Hawkins" <DaveH () Radware com>
Date: Tue, 11 Oct 2005 17:02:42 -0400
At the very least, that 2/3's that was blocked is bandwidth that isn't used up on the inside of the network. Sure, it still soaked up some useage on the main pipe inbound, but it didn't get anywhere afterwards. Since I'm an IPS vendor, pardon my bias. But let me give you two examples of how we helped some people, and justified our existence in their network: 1.) Major DNS host constantly being threatened with DDoS attacks. They have huge pipes inbound, but even with tons of load balancing the servers were getting squished. Our device goes in front of the server farm and things are much better. 2.) Major carrier in an unnamed Asian country sees that a whopping 60% of their bandwidth is propogation of a known worm. This is their customers trying to infect one another. Our device goes in place and cleans it up, stopping it between segments and preventing it from getting out their internet pipe (thus saving them $$). Sure, there will always be successful attacks that aren't blocked or reported. But in a lot of cases, blocking 2/3's of something is better than blocking nothing and smugly relying on vuln scanners. In the case of carriers, they can't scan their clients, and even if they could, they can't force them to get the appropriate patches/updates. ...just my two cents. -Dave -----Original Message----- From: Aviram Jenik See, this is what I don't get. I can understand the bored people (sorry Gadi) who want to log and monitor who attacks them and why. I _can't_ understand the busy people who are actually protecting their network, spending their time and money on silly IDS solutions. So you blocked 2/3 of the attacks. So what? Either those attacks were directed at vulnerabilities you have on your network, or they were futile attacks for services you have patched. If the second is true - why do you care? 0 successful attacks out of 1,000 is equivalent to 0 out of 3,000. If the first is true, how do you know there wasn't a successful attack in that 1/3 that wasn't blocked by the IDS? Surely you don't want to roll the dice with those odds. True, no solution is perfect, but Paul - why won't you use your IDS/IPS budget, and the time you spent configuring and installing it, in running a vulnerability scanner at regular basis (automatically, hopefully) and install a decent patch management system to make sure your systems are up to date? I'm not trying to be argumentative - I'm seriously trying to understand the logic. I must be missing something here. - Aviram _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: so, is I[dp]S a STUPID technology?, (continued)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Young, Keith (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Dave Hawkins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 13)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)