On Wed, Feb 17, 2010 at 10:59:05PM -0500, Jason Beaudoin wrote: > As I often have greater respect for a much larger portion of this list > than the rest of the internet, I am curious what is thought about > current IDS/IPS hardware from vendors like Trustwave, Checkpoint, > Alert Logic, mod_security, even snort.. etc, and in particular, the > sensibility and effectiveness of using them in high-security > environments.
They're very-overpriced junk. Let me explain why. First, if you're using a good firewall (like pf on OpenBSD) and you've configured it sensibly (read: default deny-all, bidirectionally) and you've done the other things that good network and system design tell you to do, then you've done far more for your operation's security than any of these overpriced overhyped devices will do for you. Don't forget the value of application-aware proxies behind a stateful packet filter. And don't forget to drop packets to/from as much of the Internet as you can -- see ipdeny.com. (Do you *really* need to allow incoming port 22 connections from Korea? Peru? the US?) Also use the Spamhaus DROP list in your perimeter devices *and* in onboard firewalls just in case there's a configuration screwup. Once you've done this, you can fret a lot less about what particular SQL injection attack is being carried via HTTP...because you're not even allowing [most of] the packets to get anywhere near a web server. Second, these devices are guaranteed to fail when you'll need them most: when an attack comes that they don't have a signature for, won't recognize, and won't stop. (And please don't anyone tell me that this won't happen: the Bad Guys can test against them, too, you know.) See Marcus Ranum's "Six Dumbest Ideas in Computer Security" and note #2: "Enumerating Badness", which is expounds the fundamental error that all these devices make. Quoting Ranum: One clear symptom that you have a case of "Enumerating Badness" is that you've got a system or software that needs signature updates on a regular basis, or a system that lets past a new worm that it hasn't seen before. Yeah. Like that. Third, any sufficiently determined attacker will either bypass or elude these devices. I don't know where you are, what your operation is, etc., but I'll bet that if I *really* wanted to get inside it, that handing out free USB memory sticks (with your company's logo on them) to your colleagues in the parking lot would be enough to gain a foothold. So rather than buying one of these, I think a much more prudent step would be to install *internal* firewalls that treat end-user systems as untrusted. To put it another way: your own users are easily the biggest threat. Presume that they are either apathetic, idiotic, or actively hostile, and defend accordingly. ---Rsk