Checkpoint IPS
Michael Hallgren
m.hallgren at free.fr
Thu Feb 5 14:06:12 UTC 2015
Le 05/02/2015 14:15, jim deleskie a écrit :
> mh,
Hi there Jim :-)
>
> you know that forcing traffic to be symmetrical is evil,
Voilà !
> and while backbone traffic and inspection don't play nice, there are
> very legit reasons why, in many cases edge traffic must be open for
> inspection.
Yes, right, often some such `control' is on wish-lists.
> I'm on my way to the office, feel free to ping me if you want to
> discuss. Or maybe I could use it as a reason to come visit its been
> a while since we've had a chance to vis-a-vis :)
With pleasure! Yes, too long time... TTYS,
mh
>
>
> -jim
>
> On Thu, Feb 5, 2015 at 8:57 AM, Terry Baranski
> <terry.baranski.list at gmail.com <mailto:terry.baranski.list at gmail.com>>
> wrote:
>
> On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
> > Le 04/02/2015 17:19, Roland Dobbins a écrit :
> >>
> >> Real life limitations?
> >> https://app.box.com/s/a3oqqlgwe15j8svojvzl
> >
> > Right ;-) Among many other nice ones, I like:
> >
> > `` ‘IPS’ devices require artificially-engineered topological
> symmetry-
> > can have a negative impact on resiliency via path diversity.''
>
> Dang, I thought this quote was from an April 1st RFC when I first
> read it.
>
> I hate to be the bearer of bad news, but everything we do is
> "artificial".
> There are no routers in nature, no IP packets, no fiber optics.
> There is no
> such thing as "natural engineering" -- engineering is "artificial" by
> definition.
>
> So when you're configuring artificially-engineered protocols on your
> artificially-engineered router so that your
> artificially-engineered network
> can transmit artificially-engineered packets, adding some extra
> artificially-engineered logic to enforce symmetry won't break the
> bank, I
> promise. And when done properly it has absolutely no impact on
> resilience
> and path diversity, and will do you all the good in the world from a
> troubleshooting perspective (those of you who operate networks).
>
> The whole presentation is frankly just odd to me. It looks at one
> specific
> CND thread (DDoS), and attempts to address it by throwing out the
> baby with
> the bathwater. It says to eliminate state at all costs, but then
> at the end
> advocates for reverse proxies -- which are stateful, and which
> therefore
> create the same "problems" as firewalls and IPSs.
>
> The idea of ripping out firewall/IPS devices and replacing them
> with router
> ACLs is something that, if I were an attacker, I would definitely
> encourage
> all of my targets to do. Firewalls aren't so much the big issue --
> one can
> theoretically use router ACLs for basic L3/L4 blocks, though they
> scale
> horribly from an O&M perspective, are more prone to configuration
> errors,
> and their manageability is poor. But there's no overstating the
> usefulness
> of a properly-tuned IPS for attack prevention, and the comment in
> the brief
> comparing an IPS to "[Having] your email client set to alert you
> to incoming
> mail" is so bizarre that I wouldn't even know how to counter it.
>
> (I know you're out there Roland and my intention isn't to get into
> a big
> thing with you. But the artificial-engineering thing gave me a
> chuckle.)
>
> On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
> > Le 05/02/2015 08:01, Roland Dobbins a écrit :
> >>
> >> The real question is, why 'inspect', at all?
> >
> > Yes, that's an even more interesting discussion!
>
> Only if your assets aren't targets. :-)
>
> -Terry
>
>
>
More information about the NANOG
mailing list