Checkpoint IPS

• Previous message (by thread): Checkpoint IPS
• Next message (by thread): Checkpoint IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mh,

 you know that forcing traffic to be symmetrical is evil, and while
backbone traffic and inspection don't play nice, there are very legit
reasons why, in many cases edge traffic must be open for inspection.  I'm
on my way to the office, feel free to ping me if you want to discuss.  Or
maybe I could use it as a reason to come visit  its been a while since
we've had a chance to vis-a-vis :)


-jim

On Thu, Feb 5, 2015 at 8:57 AM, Terry Baranski <
terry.baranski.list at gmail.com> wrote:

> On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
> > Le 04/02/2015 17:19, Roland Dobbins a écrit :
> >>
> >> Real life limitations?
> >> https://app.box.com/s/a3oqqlgwe15j8svojvzl
> >
> > Right ;-) Among many other nice ones, I like:
> >
> > `` ‘IPS’ devices require artificially-engineered topological symmetry-
> > can have a negative impact on resiliency via path diversity.''
>
> Dang, I thought this quote was from an April 1st RFC when I first read it.
>
> I hate to be the bearer of bad news, but everything we do is "artificial".
> There are no routers in nature, no IP packets, no fiber optics. There is no
> such thing as "natural engineering" -- engineering is "artificial" by
> definition.
>
> So when you're configuring artificially-engineered protocols on your
> artificially-engineered router so that your artificially-engineered network
> can transmit artificially-engineered packets, adding some extra
> artificially-engineered logic to enforce symmetry won't break the bank, I
> promise. And when done properly it has absolutely no impact on resilience
> and path diversity, and will do you all the good in the world from a
> troubleshooting perspective (those of you who operate networks).
>
> The whole presentation is frankly just odd to me. It looks at one specific
> CND thread (DDoS), and attempts to address it by throwing out the baby with
> the bathwater. It says to eliminate state at all costs, but then at the end
> advocates for reverse proxies -- which are stateful, and which therefore
> create the same "problems" as firewalls and IPSs.
>
> The idea of ripping out firewall/IPS devices and replacing them with router
> ACLs is something that, if I were an attacker, I would definitely encourage
> all of my targets to do. Firewalls aren't so much the big issue -- one can
> theoretically use router ACLs for basic L3/L4 blocks, though they scale
> horribly from an O&M perspective, are more prone to configuration errors,
> and their manageability is poor. But there's no overstating the usefulness
> of a properly-tuned IPS for attack prevention, and the comment in the brief
> comparing an IPS to "[Having] your email client set to alert you to
> incoming
> mail" is so bizarre that I wouldn't even know how to counter it.
>
> (I know you're out there Roland and my intention isn't to get into a big
> thing with you. But the artificial-engineering thing gave me a chuckle.)
>
> On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
> > Le 05/02/2015 08:01, Roland Dobbins a écrit :
> >>
> >> The real question is, why 'inspect', at all?
> >
> > Yes, that's an even more interesting discussion!
>
> Only if your assets aren't targets. :-)
>
> -Terry
>
>
>

• Previous message (by thread): Checkpoint IPS
• Next message (by thread): Checkpoint IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]