Hi Rich!
On Fri, Feb 19, 2010 at 7:52 AM, Rich Kulawiec <r...@gsp.org> wrote: > On Wed, Feb 17, 2010 at 10:59:05PM -0500, Jason Beaudoin wrote: >> As I often have greater respect for a much larger portion of this list >> than the rest of the internet, I am curious what is thought about >> current IDS/IPS hardware from vendors like Trustwave, Checkpoint, >> Alert Logic, mod_security, even snort.. etc, and in particular, the >> sensibility and effectiveness of using them in high-security >> environments. > > They're very-overpriced junk. I'm not going to argue, and this discussion has certainly brought up a few good points which enumerate why, I had just been hoping that the investment spent would not go towards hardware or a crap system, as much as the service of having someone looking over the information. > Let me explain why. > > First, if you're using a good firewall (like pf on OpenBSD) and you've > configured it sensibly (read: default deny-all, bidirectionally) and > you've done the other things that good network and system design tell > you to do, then you've done far more for your operation's security > than any of these overpriced overhyped devices will do for you. agreed, my situation isn't one with overall flexibility - an IDS/IPS is a compliance requirement, but I don't really see a commercial solution fitting my network so much any more. > Don't forget the value of application-aware proxies behind a > stateful packet filter. yes, I am considering mod_security for this, though I'm still trying to determine how to best organize it, as I just put in an nginx proxy. > And don't forget to drop packets to/from as much of the Internet > as you can -- see ipdeny.com. (Do you *really* need to allow incoming > port 22 connections from Korea? Peru? the US?) Also use the Spamhaus > DROP list in your perimeter devices *and* in onboard firewalls just in > case there's a configuration screwup. Once you've done this, you > can fret a lot less about what particular SQL injection attack is > being carried via HTTP...because you're not even allowing [most of] > the packets to get anywhere near a web server. Definitely great suggestions - and while our client-base is international, and we do travel, I can still use this selectively and it makes sense to do even with the added overhead to maintain. > Second, these devices are guaranteed to fail when you'll need them most: > when an attack comes that they don't have a signature for, won't recognize, > and won't stop. (And please don't anyone tell me that this won't happen: > the Bad Guys can test against them, too, you know.) See Marcus Ranum's > "Six Dumbest Ideas in Computer Security" and note #2: "Enumerating > Badness", which is expounds the fundamental error that all these devices > make. Quoting Ranum: > > One clear symptom that you have a case of "Enumerating Badness" > is that you've got a system or software that needs signature > updates on a regular basis, or a system that lets past a new > worm that it hasn't seen before. > > Yeah. Like that. Indeed. see the ref below > Third, any sufficiently determined attacker will either bypass or elude > these devices. I don't know where you are, what your operation is, etc., > but I'll bet that if I *really* wanted to get inside it, that handing > out free USB memory sticks (with your company's logo on them) to your > colleagues in the parking lot would be enough to gain a foothold. > So rather than buying one of these, I think a much more prudent step > would be to install *internal* firewalls that treat end-user systems > as untrusted. Here's a great article that exemplifies the results: http://www.informationweek.com/blog/main/archives/2010/02/another_massive.htm l > To put it another way: your own users are easily the biggest threat. > Presume that they are either apathetic, idiotic, or actively hostile, > and defend accordingly. > > ---Rsk > > indeed, hence the challenge. thank you for sharing! ~Jason
