Re: IDS\IPS that can handle one Gig

• Previous message: Terry Vernon: "Re: IDS\IPS that can handle one Gig"
• In reply to: Control Zed: "Re: IDS\IPS that can handle one Gig"
• Next in thread: Terry Vernon: "Re: IDS\IPS that can handle one Gig"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Control Zed <cntlzed@gmail.com>
Date: Tue, 07 Jun 2005 15:59:24 -0500

On Tue, 2005-06-07 at 21:06 +0530, Control Zed wrote:
> Sometimes it may not be possible to patch critical servers simply
> because you can't afford the downtime or you don't know if the patches
> would break other critical applications or software.

If downtime is important, surely there are redundancies in place. You
should be able to take one set, patch it, verify it, and put it back in
production, and then repeat the same with the second set. (Of course you
have the whole thing already tested in your test environment...right?)

Any company that does not have the capability of working on one half of
a redundant setup, or doesn't even have a redundant setup, doesn't have
a test-bed, still hasn't properly addressed handling critical servers or
dealing with redundancy and downtime issues. Shops without redundant
capabilities have other problems that need to be addressed first. After
all, availability is an important leg of most security mantras.

> So if you know
> the vulnerability and the way it can be exploited, you can protect it
> till you can find time to patch it. Nothing wrong in this approach.

Except for "finding time".

The risk is that people will brush applying patches aside to deal with
other more important issues (like fixing non-redundant servers). It's
the same thing with input validation during code development. Yeah,
developers know about it, but they just don't have the time to properly
implement it. I think relying on IPSes to buy time for patch
installation will do the same thing. Why patch today when you can wait a
month and roll up several patches at once?

Peter and Vikram were referring to finding a balance between these VM
and IPS. However, it is not an either-or situation. If you have an IPS
in place, and even if you don't have any vulnerability management
software in place, you still have to balance the patching issue.

I'm just highlighting the danger that if you have one or both in place,
people might become complacent with actually fixing the vulnerabilities.

If you don't have to right away, but could patch systems at your
leisure, would you do it?
If you don't have to right away, but could implement input validation
after the fact, would you do it?

Principle and "correctness" get often compromised for $EXCUSE.

Cheers,
Frank

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: Terry Vernon: "Re: IDS\IPS that can handle one Gig"
• In reply to: Control Zed: "Re: IDS\IPS that can handle one Gig"
• Next in thread: Terry Vernon: "Re: IDS\IPS that can handle one Gig"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]