Penetration Testing mailing list archives
Re: IPS arguments
From: Micheal Cottingham <techie.micheal () gmail com>
Date: Sun, 1 Mar 2009 01:06:33 -0500
I like to think that an IPS, regardless of what vendor you use, as a "virtual patch." That is, it buys you some time until you can get those lovely patches tested and rolled out over a 20k+ PC environment. ;) An IPS is not, and should not, be the be all and end all, which is why in my earlier email I mentioned defense in-depth. I absolutely think IPSs have their place in the enterprise, but anybody that thinks IPSs are going to solve all their problems needs to rethink their strategies. :) Micheal On Fri, Feb 27, 2009 at 2:11 AM, Trygve Aasheim <trygve () pogostick net> wrote:
I agree, and disagree. An IPS does a lot more than protect against exploits. And of course, all people should behave well, all developers should write secure code, all patches should be installed and everybody should respect eachother in traffic on their way to work. The world isn't like that, but it is a good thought. Users will always try "something", developers will always make mistakes from time to time, patches might not arrive in time to protect against threats (ref. Adobe these days) and the world is a place for people who think about themselves first. Sorry. But then...that might be a good thing. It's why we have a pay check ;) What can an IPS system give you? How about monitoring and blocking typical back connections from bots? Shellcode being sent over the network? The use of remote desktop tools from outside your network (logmein etc)? SSH over other ports than 22? A lightweight DLP solution? etc etc etc (a typical IPS usually have hundreds of different signatures/filters etc for stuff like this) I'm not saying that your points ain't valid, and this is not black/white - but an IPS is a lot more than just detecting exploit attempts. Regards, T Danny Fullerton skrev:Personally, from my experience, IPS should not be the main technology to think of when in come to improving security. I seen a lot more ROSI on getting better secure development cycle, tight patching process and selecting more `secure by design` technologies (memory protection, java instead of c++, avoid Windows when possible, buy software from security oriented company and do some pen test on those application, etc) then implementing those complicated IPS system. For sure, an IPS might be a good thing if all the above is already covered and you still have some money to invest but it should not be the first thing to think of. regards,
Current thread:
- Re: IPS arguments Micheal Cottingham (Mar 03)
- Message not available
- Re: IPS arguments Micheal Cottingham (Mar 04)
- Message not available