Le 05/02/2015 13:57, Terry Baranski a écrit : > On 5 Feb 2015, at 01:56, Michael Hallgren wrote: >> Le 04/02/2015 17:19, Roland Dobbins a écrit : >>> Real life limitations? >>> https://app.box.com/s/a3oqqlgwe15j8svojvzl >> Right ;-) Among many other nice ones, I like: >> >> `` ‘IPS’ devices require artificially-engineered topological symmetry- >> can have a negative impact on resiliency via path diversity.'' > Dang, I thought this quote was from an April 1st RFC when I first read it. > > I hate to be the bearer of bad news, but everything we do is "artificial". > There are no routers in nature, no IP packets, no fiber optics. There is no > such thing as "natural engineering" -- engineering is "artificial" by > definition. > > So when you're configuring artificially-engineered protocols on your > artificially-engineered router so that your artificially-engineered network > can transmit artificially-engineered packets, adding some extra > artificially-engineered logic to enforce symmetry won't break the bank, I > promise. And when done properly it has absolutely no impact on resilience > and path diversity, and will do you all the good in the world from a > troubleshooting perspective (those of you who operate networks).
Depends on the underlying physical network... (which may be quite costly to ``fix''). mh > > The whole presentation is frankly just odd to me. It looks at one specific > CND thread (DDoS), and attempts to address it by throwing out the baby with > the bathwater. It says to eliminate state at all costs, but then at the end > advocates for reverse proxies -- which are stateful, and which therefore > create the same "problems" as firewalls and IPSs. > > The idea of ripping out firewall/IPS devices and replacing them with router > ACLs is something that, if I were an attacker, I would definitely encourage > all of my targets to do. Firewalls aren't so much the big issue -- one can > theoretically use router ACLs for basic L3/L4 blocks, though they scale > horribly from an O&M perspective, are more prone to configuration errors, > and their manageability is poor. But there's no overstating the usefulness > of a properly-tuned IPS for attack prevention, and the comment in the brief > comparing an IPS to "[Having] your email client set to alert you to incoming > mail" is so bizarre that I wouldn't even know how to counter it. > > (I know you're out there Roland and my intention isn't to get into a big > thing with you. But the artificial-engineering thing gave me a chuckle.) > > On 5 Feb 2015, at 02:49, Michael Hallgren wrote: >> Le 05/02/2015 08:01, Roland Dobbins a écrit : >>> The real question is, why 'inspect', at all? >> Yes, that's an even more interesting discussion! > Only if your assets aren't targets. :-) > > -Terry > >