RE: Re: Checkpoint IPS
IPSes are like any security technology, they are only as good as their implementor/administrator. I've seen some installations just set up defaults and leave them that way without any maintenance nor much oversight of alarms. I've even seen some that do 0-day implementation of new signatures, and get some legitimate or even ALL traffic blocked by a bad signature (Astaro/Sophos UTM) update back in ~2004. On the other hand, I've seen some great implementations--some of which did a FANTASTIC job of making a network auditable, some of which made a network less liable legally and financially, and quite a few that made a network more secure. To me, the big drawback of an IPS is, no matter how well integrated, implemented, and maintained--it's fundamental nature is flawed. Instead of default-deny with white lists, it is default-allow with black lists. It will always lag behind. It will always allow infinitely large holes. That's why I prefer an OSI complete firewall instead, or else an IPS in detect mode only, or in certain cases an IPS used in a specific case, e.g. a WAF or SAF for a server/application/zone that is specifically fuzzy or will not adhere to security principles (vendor demilitarized zones, enclaves, whatever the buzz-word is at the moment). I understand the whole argument against state, and dismiss it. That's throwing the baby out with the bathwater. It isn't perfect, it can be overcome via DDOS and saturation, so we should get rid of it. Tanks can be destroyed by bazookas, whatever. Tanks are still useful in the battlefield if utilized properly. Firewalls and IPSes are the same way. --p
RE: Re: Checkpoint IPS
Auto-Update can cause problems. I take the stance that updates should be verified in a CERT or ISO first, before being operationalized. --p -Original Message- From: Colin Johnston [mailto:col...@gt86car.org.uk] Sent: Friday, February 06, 2015 10:46 AM To: Darden, Patrick Cc: Colin Johnston; Roland Dobbins; nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS Yes, update can cause problems, same as router code updates as well. but update is price of progress. Col On 6 Feb 2015, at 16:44, Darden, Patrick patrick.dar...@p66.com wrote: Sorry, didn't mean to imply otherwise. Had an incident back in ~2004 where an IPS signature update closed ALL network traffic. Including fix-it updates. Definitely a case where the IPS caused major difficulties for a network. --p -Original Message- From: Colin Johnston [mailto:col...@gt86car.org.uk] Sent: Friday, February 06, 2015 10:32 AM To: Darden, Patrick Cc: Colin Johnston; Roland Dobbins; nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS Thought I would add Astaro IPS works great, great functionality and does prevent ddos and exploits. Colin
RE: Re: Checkpoint IPS
Absolutely. Valuable humans behind the tools will always provide better benefits than what vendors may generically sell/deliver.
RE: Re: Checkpoint IPS
And when your opinion is an acknowledged universal constant, I will tip my hat to you. In the meantime, your argument is extremely soundbitey--sounds great, but stupid. --p -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins Sent: Friday, February 06, 2015 10:09 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS On 6 Feb 2015, at 21:27, Darden, Patrick wrote: I understand the whole argument against state, and dismiss it. One can 'dismiss' the speed of light in a vacuum or the Planck constant, but that doesn't exempt one from their constraints. --- Roland Dobbins rdobb...@arbor.net
RE: Re: Checkpoint IPS
Sorry, didn't mean to imply otherwise. Had an incident back in ~2004 where an IPS signature update closed ALL network traffic. Including fix-it updates. Definitely a case where the IPS caused major difficulties for a network. --p -Original Message- From: Colin Johnston [mailto:col...@gt86car.org.uk] Sent: Friday, February 06, 2015 10:32 AM To: Darden, Patrick Cc: Colin Johnston; Roland Dobbins; nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS Thought I would add Astaro IPS works great, great functionality and does prevent ddos and exploits. Colin
RE: Re: Checkpoint IPS
Securing hosts/applications/services themselves is the way to protect them from compromise. Can't go wrong with defense in depth. I'd definitely throw securing routers in there, throw in firewalls, periodic internal scanning for idiot mistakes, audits, etc. I still think IPS/IDSes can be wielded to good effect in several different scenarios--e.g. just before the core switch (or spanning the core switch) of a PCN network, alerting to anything going on intra vs. inter. --p -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins Sent: Thursday, February 05, 2015 7:20 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS On 5 Feb 2015, at 20:13, Michael O Holstein wrote: Personally I'm of the belief that *all* IPS systems are equally worthless, unless the goal is to just check a box on a form. Concur 100%. Securing hosts/applications/services themselves is the way to protect them from compromise. --- Roland Dobbins rdobb...@arbor.net