RE: NIPS Vendors explicit answer
From: Rob Shein (shoten_at_starpower.net)
Date: 04/27/04
- Previous message: Drexx Laggui: "Re: IDSes and known attacks (was: NIPS Vendors explicit answer)"
- In reply to: Frank Knobbe: "Re: NIPS Vendors explicit answer"
- Next in thread: Frank Knobbe: "RE: NIPS Vendors explicit answer"
- Reply: Frank Knobbe: "RE: NIPS Vendors explicit answer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Frank Knobbe'" <frank@knobbe.us>, "'Vikram Phatak'" <vphatak@lucidsecurity.com> Date: Tue, 27 Apr 2004 11:39:28 -0400
I can answer this fairly easily. Bruce Schneier, among other people, has
been pointing out that the real measure of security is how gracefully it
fails. In many large environments (like where I am right now) there can be
confusion as to who is responsible for which system; the system in question
may go unpatched as a result. When there's an IPS on top of everything, it
makes a big difference, because now you have another layer of defense to
protect it. At some point, someone is bound to notice that the system isn't
patched, but at least it won't be because of some 1337 d00d tearing it up.
For a public-facing service this is an entire second layer of protection,
where before there was only one.
I'd also think that any environment that could tackle the implementation of
an IPS correctly would already have patching fairly well in hand. And I
doubt they'd stop patching at that point, anyways.
Oh, and I second the request for an IPS list. Good idea, Frank!
> -----Original Message-----
> From: Frank Knobbe [mailto:frank@knobbe.us]
> Sent: Monday, April 26, 2004 8:04 PM
> To: Vikram Phatak
> Cc: focus-ids@securityfocus.com
> Subject: Re: NIPS Vendors explicit answer
>
<snip>
>
>
> True. It seems I was focusing on the detection part, not the
> prevention part. A product that shields existing
> vulnerabilities from a network does have merit.
>
> I think I just question why we need the product. It appears
> that it would allows us to be more complacent with our
> networks. Why patch the system when the IPS shields it? There
> seem to be two sides to the IPS-shielding-the-network
> approach. I can see where it is useful (especially when
> running Microsoft products, the latest SSL issue being the
> perfect example). But at the same time it is only a band-aid
> until the hosts are patched. Shouldn't we focus our
> preventative efforts on the hosts?
>
> (not dispelling IPS, but we should use it as a substitute for
> securing systems).
<snip snip>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Drexx Laggui: "Re: IDSes and known attacks (was: NIPS Vendors explicit answer)"
- In reply to: Frank Knobbe: "Re: NIPS Vendors explicit answer"
- Next in thread: Frank Knobbe: "RE: NIPS Vendors explicit answer"
- Reply: Frank Knobbe: "RE: NIPS Vendors explicit answer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
