Checkpoint IPS

Roland Dobbins rdobbins at arbor.net
Thu Feb 5 18:40:49 UTC 2015


On 6 Feb 2015, at 1:26, Matthew Huff wrote:

> Like it's been said before, I strongly support my competitors 
> following your advice.

Sorry - I've done the jobs, all of them.  They can be done properly, and 
are done properly by clueful operators.

Oh, and what are operators who deploy these things supposed to do about 
*vulnerabilities in these devices themselves*?  That's a huge problem, 
they present a juicy attack surface, and exploits are discovered 
regularly.  That's in the presentation, as well.

I've heard these same tired arguments over and over again.  Folks tend 
to change their tune when their entire production infrastructure is 
rendered unavailable by a tiny DDoS which could be sourced from a single 
smartphone; it's just sad that so many are only ready to listen and 
learn after they've suffered serious production-impacting outages.

If all it took to achieve *real* security - as opposed to 'compliance' 
or vendor marketing 'security' - were to write a check or cut a P.O. and 
drop some middlebox/middleblade in the network, we wouldn't be in the 
permanent state of security emergency in which we find ourselves.

*Real* security mostly consists of *doing things*.  It requires skilled, 
experienced people who have both broad and deep expertise across the 
entire OSI model, are well-versed in architecture and the operational 
arts, and who understand all the implications of scale.

Unfortunately, such people are relatively rare, even within the 
self-selected ranks of network operators - as several posts on this 
thread clearly demonstrate.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list