On 28/03/06 08:46 -0800, Andrew Plato wrote: > > > I for one worry more about downtime than getting hacked. > > If I am are well organised, patched and secured in depth, > > the possibility for getting hacked is very low. A 'leet > > hacker would probably operate under a IPS/IDS > > detectonrange anyway. > > Hacking is only one aspect. IPS does a lot more that stop hackers. It > also stops internal people from doing things they shouldn't. It also can > spot poorly coded applications, misconfigurations, abuse, theft, > information leakage, viruses, worms, spyware, P2P, chat, rootkits...and > many other things. A well tuned IPS controls more than just exploits. It > can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And > before you say "well a firewall can do that." No it can't. If you run > IRC on port 80 it can slice through most firewalls on the market. > If by firewall, you mean packet filter, then you are correct. If by firewall, you mean a proxy which validates protocols and is in default deny mode, then you are just wrong.
If I don't have a proxy for it, I don't let the traffic through works just fine. An IPS looks at stuff on the wire, decides what is bad, and blocks it. A real firewall looks at stuff on the wire, decides what is good, and allows it. A real firewall hooks into everything (servers, network equipment, desktops...). > I have a diagram I use in a presentation on the Myths of IPS. You can > see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf > It's the Risk Reduction Bang for the Buck chart. It compares IPS to > other common security/network technologies such as AV, content > filtering, firewalls and packet shapers. A well tuned, well managed IPS > can provide more services and capabilities in one unit than all those > other technologies combined. As I tell people - firewalls and AV are > important and should never be overlooked. But once those protections are > in place, IPS offers the most bang for the buck in security > technologies. Once you have a firewall in place, you need a system which analyses logs and traffic which gets through your firewall. > > Also - you cannot patch your way to security. Patching merely plugs the > holes you know about. There are, at any given time, hundreds if not > thousands of holes you don't know about. Good IPS manufacturers are > deploying protections before exploits hit the public. > Which is why you need to run secure code in the first place. Bandaids are not a panacea to vulnerable code. Really, it would help to compare IPSes with proxies instead of known broken systems. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
