RE: NIPS Vendors explicit answer

From: Rob Shein (shoten_at_starpower.net)
Date: 04/28/04

Previous message: Frank Knobbe: "RE: NIPS Vendors explicit answer"
In reply to: Frank Knobbe: "RE: NIPS Vendors explicit answer"
Next in thread: Teicher, Mark (Mark): "RE: NIPS Vendors explicit answer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Frank Knobbe'" <frank@knobbe.us>
Date: Wed, 28 Apr 2004 12:15:07 -0400

Comments inline...

> -----Original Message-----
> From: Frank Knobbe [mailto:frank@knobbe.us]
> Sent: Wednesday, April 28, 2004 12:07 PM
> To: Rob Shein
> Cc: focus-ids@securityfocus.com
> Subject: RE: NIPS Vendors explicit answer
>
>
> On Tue, 2004-04-27 at 10:39, Rob Shein wrote:
> > I can answer this fairly easily. Bruce Schneier, among
> other people,
> > has been pointing out that the real measure of security is how
> > gracefully it fails.
>
> I think that was in the context of "a failed component should
> fail safe and not become a threat to others" as opposed to
> "if a component fails, let's hope there is a second one catching it".

Actually, that's not what he meant. He was referring to things like the
amount of damage caused when a component fails. One example he described
was the case of a man who ran clear through the security checkpoint of an
airport terminal; as a result, they had to shut down the entire terminal,
affecting flights nationwide. In this case, things failed safe, but it was
a disaster. This was an example of security not failing gracefully. His
recommendation was to have more security checkpoints, and have them places
so that each one covers a smaller section of the airport; that way a single
failure won't take down half of LaGuardia, LAX, or Dulles.

>
> > In many large environments (like where I am right now)
> there can be
> > confusion as to who is responsible for which system; the system in
> > question may go unpatched as a result. When there's an IPS
> on top of
> > everything, it makes a big difference, because now you have another
> > layer of defense to protect it.
>
> It seems that you have a failing/broken patch management
> system. I would put resources towards fixing that instead of
> adding yet another layer of band-aids (IPS).

Well, I don't see how I'm going to fix the fact that humans are involved,
and inherently prone to mistakes. I'd have to show you the organizational
management changes to explain further, but this was not a technical failure
in my example.

> Don't get me wrong, I see where it is useful. But the
> security community is starting to slap patches and products
> on top of one another without fixing the real symptoms. We
> are starting to believe that the mass of band-aids are a
> strong rope. It's like Microsoft adding patches on top of
> patches to fix broken patches while they should be going back
> and fix the underlying root causes.

And while they're doing that (which they aren't, by the way), what are the
rest of us supposed to do in the meanwhile? :)

> I think the same is happening with IPS. They are the solution
> to all problems, but not the cure. Yes, you protect your
> network from known
> (signature) or vastly abnormal (flows) vulnerability abuse.
> But the solution is only temporary unless it works, right?
> I'm trying to highlight the danger that we might not address
> the root causes (mainly fixing broken software, or broken
> patch management, or lax access controls, etc).
>
> The security industry is becoming more reactive than
> proactive. Heck, we're still reacting to viruses like we did
> 20 years ago. We still haven't found a way to prevent them in
> a proactive way. I think IPS will go the same route. With
> IPSes in place, our priorities are changing towards other
> issues and broken pieces are left in place because they are
> (currently) not dangerous protected by an IPS. And we may
> never go back to fix them because they don't pose as much of
> a perceived threat anymore (as I was hinting with my
> "complacent" comment earlier).

Bad people do bad things. I don't know of any really proactive solution to
this fact that has ever been developed. If you consider car alarms, locks
on doors, bulletproof glass, and burglar alarms to be reactive, then IPS is
reactive too. If you consider them proactive, in that they are put in place
to forestall, prevent or deter an attack, then so is IPS.

---------------------------------------------------------------------------

Previous message: Frank Knobbe: "RE: NIPS Vendors explicit answer"
In reply to: Frank Knobbe: "RE: NIPS Vendors explicit answer"
Next in thread: Teicher, Mark (Mark): "RE: NIPS Vendors explicit answer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How to Maintain an IIS Server?
... >>> I looked at the Microsoft Security Website. ... >> before a firewall and antivirus have been installed]. ... >> new patches that are missing, ...
(microsoft.public.inetserver.iis.security)
RE: Patching
... There seems to be at least 5 or 6 new vulnerabilities released on ... As information security people, ... at those patches you need for what you do have running. ... network analyzers. ...
(Security-Basics)
Re: Anyone know why the Alpha market is so so quiet?
... this with all of the Windows security patches. ... Because if those systems where running Linux - how many security ... With 5-20 Linux (and Windows) security patches being released each ... have they told you was behind their decision to turf VMS out? ...
(comp.os.vms)
Re: IDS vs. IPS deployment feedback
... an enterprise network and its security? ... I manage information security for an organization of 3500 employees;-). ... You have to size your IPS accordingly. ... enterprise networks are complex and have limited resources to handle ...
(Focus-IDS)
Security Vulnerabilities in MediaBase Apache and PHP on IRIX
... Security Vulnerabilities in MediaBase Apache and PHP ... Patches from Kasenna Support Website ... be implemented on ALL vulnerable SGI systems. ...
(Bugtraq)