Checkpoint IPS

Michael Hallgren m.hallgren at free.fr
Thu Feb 5 13:56:00 UTC 2015


Le 05/02/2015 13:57, Terry Baranski a écrit :
> On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
>> Le 04/02/2015 17:19, Roland Dobbins a écrit :
>>> Real life limitations?
>>> https://app.box.com/s/a3oqqlgwe15j8svojvzl
>> Right ;-) Among many other nice ones, I like:
>>
>> `` ‘IPS’ devices require artificially-engineered topological symmetry-
>> can have a negative impact on resiliency via path diversity.''
> Dang, I thought this quote was from an April 1st RFC when I first read it. 
>
> I hate to be the bearer of bad news, but everything we do is "artificial".
> There are no routers in nature, no IP packets, no fiber optics. There is no
> such thing as "natural engineering" -- engineering is "artificial" by
> definition.
>
> So when you're configuring artificially-engineered protocols on your
> artificially-engineered router so that your artificially-engineered network
> can transmit artificially-engineered packets, adding some extra
> artificially-engineered logic to enforce symmetry won't break the bank, I
> promise. And when done properly it has absolutely no impact on resilience
> and path diversity, and will do you all the good in the world from a
> troubleshooting perspective (those of you who operate networks).

Depends on the underlying physical network... (which may be quite
costly to ``fix'').

mh

>
> The whole presentation is frankly just odd to me. It looks at one specific
> CND thread (DDoS), and attempts to address it by throwing out the baby with
> the bathwater. It says to eliminate state at all costs, but then at the end
> advocates for reverse proxies -- which are stateful, and which therefore
> create the same "problems" as firewalls and IPSs.
>
> The idea of ripping out firewall/IPS devices and replacing them with router
> ACLs is something that, if I were an attacker, I would definitely encourage
> all of my targets to do. Firewalls aren't so much the big issue -- one can
> theoretically use router ACLs for basic L3/L4 blocks, though they scale
> horribly from an O&M perspective, are more prone to configuration errors,
> and their manageability is poor. But there's no overstating the usefulness
> of a properly-tuned IPS for attack prevention, and the comment in the brief
> comparing an IPS to "[Having] your email client set to alert you to incoming
> mail" is so bizarre that I wouldn't even know how to counter it.
>
> (I know you're out there Roland and my intention isn't to get into a big
> thing with you. But the artificial-engineering thing gave me a chuckle.)
>
> On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
>> Le 05/02/2015 08:01, Roland Dobbins a écrit :
>>> The real question is, why 'inspect', at all? 
>> Yes, that's an even more interesting discussion!
> Only if your assets aren't targets. :-)
>
> -Terry
>
>




More information about the NANOG mailing list