Penetration Testing mailing list archives
Re: IPS arguments
From: Micheal Cottingham <techie.micheal () gmail com>
Date: Wed, 4 Mar 2009 20:46:28 -0500
Touche. :) But ... I'll argue that if hardening and least-privilege isn't followed, is it really defense in depth? Just thought I'd throw that out there. On Tue, Mar 3, 2009 at 7:45 PM, JoePete <security-focus () joepete com> wrote:
Here's Catch-22: If we really believed in "defense in-depth," then would we need IPS to begin with? With rare exception, the problem is, for whatever reason, we have implemented systems throughout an organization with far too many vulnerabilities and permissions. If we believed in defense in-depth, then we would also believe in least privilege, but clearly the fact that every secretary in America is on Yahoo Messenger, MySpace, etc. means that we skipped right over that. So too is it that the most popular combination of OS and browser in corporate America is a perfect storm of infosec vulnerability, but we roll out 20,000-plus networks of these combinations because ... well that's the question, why do we do it? Since we have punted on the individual systems that comprise the network, we throw everything we have at the perimeter. Invariably when someone gets through the perimeter and has free run inside the network. Rather than fixing the network, we just look for another appliance to layer on at the perimeter. Defense in-depth is a nice a concept, but as applied, it more often than not becomes defense via duct tape -- just keep slapping on another piece rather than fixing what's underneath. IMHO :-) -- JoePete
Current thread:
- Re: IPS arguments Micheal Cottingham (Mar 03)
- Message not available
- Re: IPS arguments Micheal Cottingham (Mar 04)
- Message not available