Checkpoint IPS

• Previous message (by thread): Checkpoint IPS
• Next message (by thread): Checkpoint IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
> Le 04/02/2015 17:19, Roland Dobbins a écrit :
>>
>> Real life limitations?
>> https://app.box.com/s/a3oqqlgwe15j8svojvzl
>
> Right ;-) Among many other nice ones, I like:
>
> `` ‘IPS’ devices require artificially-engineered topological symmetry-
> can have a negative impact on resiliency via path diversity.''

Dang, I thought this quote was from an April 1st RFC when I first read it. 

I hate to be the bearer of bad news, but everything we do is "artificial".
There are no routers in nature, no IP packets, no fiber optics. There is no
such thing as "natural engineering" -- engineering is "artificial" by
definition.

So when you're configuring artificially-engineered protocols on your
artificially-engineered router so that your artificially-engineered network
can transmit artificially-engineered packets, adding some extra
artificially-engineered logic to enforce symmetry won't break the bank, I
promise. And when done properly it has absolutely no impact on resilience
and path diversity, and will do you all the good in the world from a
troubleshooting perspective (those of you who operate networks).

The whole presentation is frankly just odd to me. It looks at one specific
CND thread (DDoS), and attempts to address it by throwing out the baby with
the bathwater. It says to eliminate state at all costs, but then at the end
advocates for reverse proxies -- which are stateful, and which therefore
create the same "problems" as firewalls and IPSs.

The idea of ripping out firewall/IPS devices and replacing them with router
ACLs is something that, if I were an attacker, I would definitely encourage
all of my targets to do. Firewalls aren't so much the big issue -- one can
theoretically use router ACLs for basic L3/L4 blocks, though they scale
horribly from an O&M perspective, are more prone to configuration errors,
and their manageability is poor. But there's no overstating the usefulness
of a properly-tuned IPS for attack prevention, and the comment in the brief
comparing an IPS to "[Having] your email client set to alert you to incoming
mail" is so bizarre that I wouldn't even know how to counter it.

(I know you're out there Roland and my intention isn't to get into a big
thing with you. But the artificial-engineering thing gave me a chuckle.)

On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
> Le 05/02/2015 08:01, Roland Dobbins a écrit :
>>
>> The real question is, why 'inspect', at all? 
>
> Yes, that's an even more interesting discussion!

Only if your assets aren't targets. :-)

-Terry

• Previous message (by thread): Checkpoint IPS
• Next message (by thread): Checkpoint IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]