Nice post. How does one find out misconfgured Firewalls and NAT boxes using IPS?
Ravi On Thu, Mar 5, 2009 at 9:01 AM, Joel M Snyder <[email protected]> wrote: >> Speaking to the roi, someone already observed that in at least one >> environment it was concluded that patch management was addressing an >> overlapping set of low hanging fruit and that therefore the ips was no >> longer earning it's keep. > > As an interesting coincidence, I advised a client on that last night: they > were being told that their managed firewall on a 20 person branch office was > being jacked up from $100/month to $400/month because of the IPS, and I told > them that if they put that money into better patch discipline, that it would > be better spent. > > HOWEVER, I like to say in my lectures on IPS that focusing on the IPS as a > way of preventing intrusion attacks tends to discount the huge value of the > IPS. Personally, I have to agree with naysayers: sticking an IPS out near > the firewall on a well managed network isn't going to catch much coming in. > But there are LOTS of other wonderful things that the IPS will help tell > you about, including: > - internally infected systems > - misconfigured applications > - misconfigured firewalls > - misconfigured routing > - misconfigured NAT boxes (I see this A LOT) > - network usage > - data leaks > - inappropriate applications or unknown applications > > And I see those as valuable and part of the IPS "earning its keep." The > notion that a properly managed IDS at TJX would have saved them the > embarrassment of their data breach is a fiction promoted only by people who > don't understand what IPS/IDS does but do want to sell you something. > > I have some graphs which, in words, essentially say this: > > - chances someone will break into your network: about 1% > - chances that an IPS would have caught it: about 20% > (in other words: with a firewall and good patch discipline, it probably > won't happen to you, and if it does, the IPS probably won't catch it) > AND > - chances you have a security problem on your network: 100% > - chances an IPS will help you discover and fix these: 100% > > When I tell clients they need/want/should have an IPS, it's not because of > some motivated external attacker this will help, but it's because they need > better security visibility in their network and they don't have it. > > I have a long-standing bet which I have never lost that says if we put an > IDS on your network, I can guarantee that it will tell you something about > your security that you didn't know, but should. > > jms > -- > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > Senior Partner, Opus One Phone: +1 520 324 0494 > [email protected] http://www.opus1.com/jms > > >
