RE: IPS, alternative solutions

From: Palmer, Paul (ISSAtlanta) (PPalmer_at_iss.net)
Date: 09/17/04

  • Next message: X-Force: "ISS Protection Brief: Microsoft GDI+ JPEG Processing Exploitation"
    Date: Fri, 17 Sep 2004 10:35:49 -0400
    To: "Jason" <security@brvenik.com>, "Scott Wimer" <scottw@cylant.com>
    
    

    Jason,

    The ROI in a medium+ organization does not come from using IPS as a
    patch replacement system. The IPS lets the organization schedule the
    patches at its convenience instead of the de facto schedule implied by
    the release of the patch. That is, without something like an IPS in
    place, the organization needs to apply patches as quickly as possible to
    maintain their security posture. This is problematic for many reasons.
    However, there are two common, major ones. First, it can take months
    (even longer) to deploy a patch to all levels of an organization. During
    this time the organization remains vulnerable. Second, it is difficult
    to manage multiple overlapping patch and/or frequent patch processes.

    The IPS allows them to delay patch installation until it is convenient
    and this is where the ROI materializes. The IPS protects the
    organization until it can deploy the patch everywhere. The ROI here is
    obvious when a worm hits before you can complete the patch installation.

    It turns out that the cost to install a dozen patches at once (even from
    multiple vendors) is not much more than the cost to install one critical
    patch. So an organization that can defer all patch installation to the
    beginning of each quarter for example can reap huge dividends over the
    cost of rolling out each patch individually. They only need to test one
    set of changes prior to applying them (instead of several per quarter).
    In addition, the number of different configurations present in the
    organization at any moment is reduced, thereby lowering support costs.

    Paul

    -----Original Message-----
    From: Jason [mailto:security@brvenik.com]
    Sent: Wednesday, September 15, 2004 3:47 PM
    To: Scott Wimer
    Cc: Daniel; focus-ids@securityfocus.com
    Subject: Re: IPS, alternative solutions

    I've heard of no medium+ sized business that is considering deploying
    inline technology on the internals of the network in a sufficiently
    pervasive manner that there would be any measurable benefit from the
    technology over patching and asset management.

    I would be seriously interested in an ROI that can demonstrate savings.

    The simple question is how is inline packet scrubbing easier and more
    cost effective than patching?

    Scott Wimer wrote:

    > Daniel,
    >
    > I agree with your assessment. What I have encountered in the
    > financial sector though is a desire to have the packets "scrubbed"
    > before they reach the servers. People _want_ to deploy network based
    > IPS tools because it is easier and more cost effective. That it
    > doesn't seem to be possible yet is another story altogether.
    >
    > Regards, Scott Wimer
    >
    > On Tue, 2004-09-14 at 06:01, Daniel wrote:
    >
    >> So far there has been a load of talk discussing which is the better
    >> technology. Personally i dont think IPS is ready for the big time.
    >> Yeah its great for small mum and dad networks, but for large
    >> financial networks with billions of pounds flowing across them, would

    >> you trust a technology to think and block what it seems as bad
    >> traffic?
    >>
    >> So what are the alternatives? I'd say more host based protection such

    >> as:
    >>
    >> - Stack protection - Application level firewalls
    >> (ModSecurity/SecureIIS) - Host based firewalls
    >>
    >> I'm interested to see what everyone else feels are alternatives to
    >> IPS
    >>
    >>
    >> ---------------------------------------------------------------------
    >> -----
    >> Test Your IDS
    >>
    >> Is your IDS deployed correctly? Find out quickly and easily by
    >> testing it with real-world attacks from CORE IMPACT. Go to
    >> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >> to learn more.
    >>
    ------------------------------------------------------------------------

    --
    ------------------------------------------------------------------------
    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT. Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    learn more.
    ------------------------------------------------------------------------
    --
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------
    

  • Next message: X-Force: "ISS Protection Brief: Microsoft GDI+ JPEG Processing Exploitation"