funsec mailing list archives
Re: so, is I[dp]S a STUPID technology?
From: Jordan Wiens <numatrix () ufl edu>
Date: Tue, 11 Oct 2005 23:32:39 -0400 (EDT)
On Wed, 12 Oct 2005, Aviram Jenik wrote:
On Wednesday, 12 October 2005 00:13, Paul Schmehl wrote:In edu, I cannot guarantee you, even if I could five minutes ago, that I don't have vulnerabilities on my network.That's too bad. And this is what you should change. After you fix your vulnerabilities and after you *know* you're patched against the known problems, go ahead and buy an IPS (or any other candy you wish). Also, you'll finally have the time to play with its nice GUI :-)
That's the issue -- when we have thousands of new unknown machines walk onto our campus every year (in reality, it's more than just a few thousand, and it's spread throughout the year) that we have little control over, it's very difficult to ensure that those machines are patched.
At UF, we're working on it, persuing a variety of end-point compliance methods that we can use at the various places those unmanaged machines enter our network. To be honest though, all of the solutions we're looking at didn't exist 5 years ago when we initially deployed IDS. There was no mechanism to try to patch those end-user machines short of getting administrative access and using some patching tool (as if the lawyers would let us do that for machines we don't control -- talk about liability).
Here's another example where patching doesn't cut it, but I[DP]S does:Right now the biggest problem we have sweeping through student machines are AIM worms spreading via buddy lists messages with enticing (or sometimes, strangely enough, not-so-enticing) messages like "here's the pictures".
They're a dime a dozen right now, lots of bot variants with AIM code in them. There's no vulnerability to be patched to prevent these things from running. There's nothing short of a giant clue stick (which many users receive when they're forced to rebuild after infecting themselves) that will stop them. But guess what? Our IDS can pick up those hosts pretty quickly by monitoring for the IRC C&C, other malicious behavior the bot triggers, or heck, if we know the AIM string or filename of the malware, instances of the bot trying to spread.
-- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- so, is I[dp]S a STUPID technology? Gadi Evron (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Jordan Wiens (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Aviram Jenik (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Blue Boar (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Aviram Jenik (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Jordan Wiens (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Blue Boar (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Blue Boar (Oct 12)
- Message not available
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Robert Edmonds (Oct 20)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 20)
- Re: so, is I[dp]S a STUPID technology? Eduardo Tongson (Oct 20)
- Re: so, is I[dp]S a STUPID technology? Valdis . Kletnieks (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)