RE: IPS, alternative solutions

From: Murtland, Jerry (MurtlandJ_at_Grangeinsurance.com)
Date: 09/17/04

  • Next message: Rob Shein: "RE: question about anomalies detection"
    To: 'Jason Haar' <Jason.Haar@trimble.co.nz>, focus-ids@securityfocus.com
    Date: Fri, 17 Sep 2004 15:00:53 -0400
    
    

    I've been reviewing options for Network Admission Control as well to ensure
    consistency of approved applications and disallowing unapproved applications
    and the other inherent sanity checks such as patching, .dats, etc. The two
    that I've seen so far that best addresses the issues are Sygate and ZoneLabs
    (same or not). Cisco has their SA product and we are looking into that
    also. I'm interested to learn what options you are looking at and what your
    opinion is on those solutions.

    Jerry J. Murtland, CISSP

    -----Original Message-----
    From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
    Sent: Wednesday, September 15, 2004 9:09 PM
    To: focus-ids@securityfocus.com
    Subject: Re: IPS, alternative solutions

    On Wed, Sep 15, 2004 at 03:47:28PM -0400, Jason wrote:
    > I would be seriously interested in an ROI that can demonstrate savings.
    >
    > The simple question is how is inline packet scrubbing easier and more
    > cost effective than patching?

    It isn't.

    I think the business community is starting to realise that in this Microsoft
    dominated world, we can no longer exclusively rely on "external"
    infrastructure like firewalls and NIDS to protect our machines - we have to
    make our machines more secure.

    The advent of Windows Updates and SUS are signs that Microsoft is listening
    and learning. Of course I could rant on at length about the *culture* of
    Windows being the much harder nut to crack (local admin privs anyone?), but
    it's moving in the right direction.

    Firewalls and NIDS are obviously good to have (required isn't probably too
    strong a word), but once you have a good, working and productive "network
    protection" infrastructure in place, your security gaze rightfully falls
    back on those darn Windows boxes again...

    In the medium term our company going down the Network Admission Control
    route:
    don't allow a machine onto the corporate network unless it has been VETOED
    by the network as being patched, up to date, etc. Interestingly, this
    "network solution" reinforces my point - it's all about bring consistency
    and security standards to the end-user PC...

    -- 
    Cheers
    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE
    IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    learn more.
    --------------------------------------------------------------------------
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Rob Shein: "RE: question about anomalies detection"