Checkpoint IPS

Joel Maslak jmaslak at antelope.net
Fri Feb 6 15:25:27 UTC 2015


On Thu, Feb 5, 2015 at 10:47 AM, Roland Dobbins <rdobbins at arbor.net> wrote:

>
> On 6 Feb 2015, at 0:38, Raymond Burkholder wrote:
>
> > There must some sort of value in that?
>
> No - patch the servers.
>

Patching servers protects against >0 Day attacks only.

This does not protect against 0 day attacks, unless you know of an OS
vendor that writes good code without security holes.

What type of device needed depends on risk, what you are protecting, what
attacks are important, etc.  It's not a simple matter of "firewall bad" or
"firewall good".

I won't even get into the stateless-vs-stateful debate, because it's more
complex than "stateful bad" (*cough* SIP *cough*). Nor will I mention that
it depends on what your protecting to figure out how much of each of
availability or confidentiality or integrity you need - you might need lots
of integrity but little availability, for instance.



More information about the NANOG mailing list