Re: Checkpoint IPS

On 8 Feb 2015, at 23:00, BPNoC Group wrote: Mr Dobbins' slides/presentation gives an idea that a proxy (waf, whatever) fits sitting unprotected among routers and application servers, while its also stateful and fragile enough to deserve previous protection. from p.16 of the presentation in

Re: Checkpoint IPS

On Sun, Feb 8, 2015 at 2:05 AM, Ca By wrote: > On Friday, February 6, 2015, Roland Dobbins wrote: > > > > > On 6 Feb 2015, at 23:23, Darden, Patrick wrote: > > > > And when your opinion is an acknowledged universal constant, I will tip > >> my hat to you. > >> > > > > It's been a constant for

Re: Checkpoint IPS

On Friday, February 6, 2015, Roland Dobbins wrote: > > On 6 Feb 2015, at 23:23, Darden, Patrick wrote: > > And when your opinion is an acknowledged universal constant, I will tip >> my hat to you. >> > > It's been a constant for the last couple of decades - I can't count the > number of times I

Re: Checkpoint IPS

t; -Original Message- > From: Colin Johnston [mailto:col...@gt86car.org.uk] > Sent: Friday, February 06, 2015 10:46 AM > To: Darden, Patrick > Cc: Colin Johnston; Roland Dobbins; nanog@nanog.org > Subject: [EXTERNAL]Re: Checkpoint IPS > > Yes, update can cause problem

RE: Re: Checkpoint IPS

Johnston; Roland Dobbins; nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS Yes, update can cause problems, same as router code updates as well. but update is price of progress. Col > On 6 Feb 2015, at 16:44, Darden, Patrick wrote: > > > Sorry, didn't mean to imply otherwise.

Re: Checkpoint IPS

o: Darden, Patrick > Cc: Colin Johnston; Roland Dobbins; nanog@nanog.org > Subject: [EXTERNAL]Re: Checkpoint IPS > > Thought I would add > > Astaro IPS works great, great functionality and does prevent ddos and > exploits. > > Colin >

RE: Re: Checkpoint IPS

o:col...@gt86car.org.uk] Sent: Friday, February 06, 2015 10:32 AM To: Darden, Patrick Cc: Colin Johnston; Roland Dobbins; nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS Thought I would add Astaro IPS works great, great functionality and does prevent ddos and exploits. Colin

Re: Checkpoint IPS

Thought I would add Astaro IPS works great, great functionality and does prevent ddos and exploits. Colin

Re: Checkpoint IPS

On 6 Feb 2015, at 23:23, Darden, Patrick wrote: And when your opinion is an acknowledged universal constant, I will tip my hat to you. It's been a constant for the last couple of decades - I can't count the number of times I've been involved in mitigating penny-ante DDoS attacks which succ

RE: Re: Checkpoint IPS

, February 06, 2015 10:09 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS On 6 Feb 2015, at 21:27, Darden, Patrick wrote: > I understand the whole argument against state, and dismiss it. One can 'dismiss' the speed of light in a vacuum or the Planck constant, but that doesn

Re: Checkpoint IPS

On 6 Feb 2015, at 21:27, Darden, Patrick wrote: I understand the whole argument against state, and dismiss it. One can 'dismiss' the speed of light in a vacuum or the Planck constant, but that doesn't exempt one from their constraints. --- Roland Dobbins

RE: Re: Checkpoint IPS

Absolutely. > Valuable humans behind the tools will always provide better benefits than > what vendors may generically sell/deliver.

Re: Checkpoint IPS

On Thu, Feb 5, 2015 at 10:47 AM, Roland Dobbins wrote: > > On 6 Feb 2015, at 0:38, Raymond Burkholder wrote: > > > There must some sort of value in that? > > No - patch the servers. > Patching servers protects against >0 Day attacks only. This does not protect against 0 day attacks, unless you

Re: Checkpoint IPS

Hello, > On 06/02/2015, at 11:08, Ray Soucy wrote: > > An IPS doesn't have to be in line. AFAIK this is basically what defines an IPS. > It can be something watching a tap and scripted to use something else > to block traffic (e.g. hardware filtering options on a router that can > handle it).

RE: Re: Checkpoint IPS

IPSes are like any security technology, they are only as good as their implementor/administrator. I've seen some installations just set up defaults and leave them that way without any maintenance nor much oversight of alarms. I've even seen some that do 0-day implementation of new signatures,

Re: Checkpoint IPS

On 6 Feb 2015, at 20:08, Ray Soucy wrote: An IDS tied into an internal RTBH setup to leverage uRPF filtering in hardware can be pretty effective at detecting and blocking the typical UDP attacks out there before they reach systems that don't handle that as gracefully (e.g. firewalls or host sys

Re: Checkpoint IPS

An IPS doesn't have to be in line. It can be something watching a tap and scripted to use something else to block traffic (e.g. hardware filtering options on a router that can handle it). An IDS tied into an internal RTBH setup to leverage uRPF filtering in hardware can be pretty effective at det

Re: Checkpoint IPS

On 05/02/2015, at 12:31, Terry Baranski wrote: On Thu, Feb 5, 2015 at 8:34 AM, Roland Dobbins wrote: I've never heard a plausible anecdote, much less seen meaningful statistics, of these devices actually 'preventing' anything. People tend to hear what they want to hear. Surely your cla

Re: Checkpoint IPS

+100% agree. ...Skeeve *Skeeve Stevens - Founder & Chief Network Architect* eintellego Networks Pty Ltd Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve Facebook: eintellegonetworks

Re: Checkpoint IPS

On 6 Feb 2015, at 4:24, Terry Baranski wrote: It highlights the importance of knowing what you're doing in the real world, on networks that exist and which you actually understand intimately, end-to-end. Absolutely. At least one of the parties in this discussion has such knowledge of and

RE: Checkpoint IPS

On 6 Feb 2015, at 3:01, Roland Dobbins wrote: > Which highlights the importance of broadness of experience, of > knowledge and understanding of the experiences of others, and > understanding of the implications of scale. It highlights the importance of knowing what you're doing in the real worl

Re: Checkpoint IPS

On 6 Feb 2015, at 2:26, Terry Baranski wrote: Zero, on my networks. Which highlights the importance of broadness of experience, of knowledge and understanding of the experiences of others, and understanding of the implications of scale. If you can't deploy IPS's in such a way that they do

Re: Checkpoint IPS

On 6 Feb 2015, at 2:29, Terry Baranski wrote: And if there's one person qualified to comment on what "real security" is, it's a person who has "never heard a plausible anecdote of [IPS] devices actually 'preventing' anything." :-) That's right - especially if such a person spent a not-incons

Re: Checkpoint IPS

On 6 Feb 2015, at 1:40pm, Roland Dobbins wrote: > *Real* security mostly consists of *doing things*. It requires skilled, experienced > people who have both broad and deep expertise across the entire OSI model, are > well-versed in architecture and the operational arts, and who understand all the

Re: Checkpoint IPS

On 6 Feb 2015, at 11:46, Valdis Kletnieks wrote: > Count up the number of *actual* attacks they have stopped > that wouldn't have been stopped otherwise Many. > and contrast it > to the number of times they've been used as the *basis* for > an attack (DDoS via state exhaustion, for starters) Z

Re: Checkpoint IPS

On 6 Feb 2015, at 1:26, Matthew Huff wrote: Like it's been said before, I strongly support my competitors following your advice. Sorry - I've done the jobs, all of them. They can be done properly, and are done properly by clueful operators. Oh, and what are operators who deploy these thin

RE: Checkpoint IPS

og-boun...@nanog.org] On Behalf Of Roland Dobbins Sent: Thursday, February 5, 2015 1:11 PM To: nanog@nanog.org Subject: Re: Checkpoint IPS On 6 Feb 2015, at 0:55, Matthew Huff wrote: > What if you are a hosting company and those aren't your servers to > patch? Then it isn't th

Re: Checkpoint IPS

On 6 Feb 2015, at 0:55, Matthew Huff wrote: What if you are a hosting company and those aren't your servers to patch? Then it isn't the operator's problem. What about the time to patch 200+ servers versus configuring one location? Operators should have sufficient automation to do this qui

RE: Checkpoint IPS

To: nanog@nanog.org Subject: Re: Checkpoint IPS On 6 Feb 2015, at 0:38, Raymond Burkholder wrote: > There must some sort of value in that? No - patch the servers. --- Roland Dobbins

Re: Checkpoint IPS

On 6 Feb 2015, at 0:38, Raymond Burkholder wrote: > There must some sort of value in that? No - patch the servers. --- Roland Dobbins

RE: Checkpoint IPS

> > But there's no overstating the usefulness of a properly-tuned IPS for > > attack prevention > > I've never heard a plausible anecdote, much less seen meaningful statistics, > of these devices actually 'preventing' anything. I think it depends upon where you put them, and whether or not you ha

Re: Checkpoint IPS

On Thu, 05 Feb 2015 09:31:49 -0500, Terry Baranski said: > People tend to hear what they want to hear. Surely your claim can't be that > an IPS has never, in the history of Earth, prevented an attack or exploit. > So it's unclear to me what you're actually trying to say here. Count up the number

Re: Checkpoint IPS

On Thu, 05 Feb 2015 07:51:56 +0100, Michael Hallgren said: > I know. However, I fail to see symmetric traffic flow as ``natural'', > apart from maybe at the extreme edge of a network. So, need another > inspection strategy I think. Firewalls aren't much help except at that extreme edge, anyhow.

Re: Checkpoint IPS

On 05/02/2015 13:15, jim deleskie wrote: > you know that forcing traffic to be symmetrical is evil it's not evil; it's stupid because enforcing symmetry creates a potentially unnatural stress in a network which will revert to asymmetry, given half a chance. Nick

Re: Checkpoint IPS

On Thu, Feb 5, 2015 at 8:34 AM, Roland Dobbins wrote: > I've never heard a plausible anecdote, much less seen meaningful statistics, > of these devices actually 'preventing' anything. People tend to hear what they want to hear. Surely your claim can't be that an IPS has never, in the history of

Re: Checkpoint IPS

n Behalf Of Michael O Holstein > Sent: Thursday, February 05, 2015 8:13 AM > To: nanog@nanog.org > Subject: Re: Checkpoint IPS > > >>> `` 'IPS' devices require artificially-engineered topological symmetry- >>> can have a negative impact on resiliency via pat

Re: Checkpoint IPS

Le 05/02/2015 14:15, jim deleskie a écrit : > mh, Hi there Jim :-) > > you know that forcing traffic to be symmetrical is evil, Voilà ! > and while backbone traffic and inspection don't play nice, there are > very legit reasons why, in many cases edge traffic must be open for > inspection. Ye

Re: Checkpoint IPS

Le 05/02/2015 13:57, Terry Baranski a écrit : > On 5 Feb 2015, at 01:56, Michael Hallgren wrote: >> Le 04/02/2015 17:19, Roland Dobbins a écrit : >>> Real life limitations? >>> https://app.box.com/s/a3oqqlgwe15j8svojvzl >> Right ;-) Among many other nice ones, I like: >> >> `` ‘IPS’ devices require

Re: Checkpoint IPS

On 5 Feb 2015, at 19:57, Terry Baranski wrote: I hate to be the bearer of bad news, but everything we do is "artificial". There are no routers in nature, no IP packets, no fiber optics. There is no such thing as "natural engineering" -- engineering is "artificial" by definition. This isn't

RE: Re: Checkpoint IPS

Roland Dobbins Sent: Thursday, February 05, 2015 7:20 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS On 5 Feb 2015, at 20:13, Michael O Holstein wrote: > Personally I'm of the belief that *all* IPS systems are equally > worthless, unless the goal is to just check a box on

RE: Checkpoint IPS

can certainly see why you think they're worthless though. :-) -Terry -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Michael O Holstein Sent: Thursday, February 05, 2015 8:13 AM To: nanog@nanog.org Subject: Re: Checkpoint IPS >> `` 'IPS

RE: Checkpoint IPS

alf Of Michael O Holstein Sent: Thursday, February 05, 2015 7:13 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Checkpoint IPS Personally I'm of the belief that *all* IPS systems are equally worthless, unless the goal is to just check a box on a form. Sure they will give you pretty graphs

Re: Checkpoint IPS

On 5 Feb 2015, at 20:13, Michael O Holstein wrote: Personally I'm of the belief that *all* IPS systems are equally worthless, unless the goal is to just check a box on a form. Concur 100%. Securing hosts/applications/services themselves is the way to protect them from compromise.

Re: Checkpoint IPS

mh, you know that forcing traffic to be symmetrical is evil, and while backbone traffic and inspection don't play nice, there are very legit reasons why, in many cases edge traffic must be open for inspection. I'm on my way to the office, feel free to ping me if you want to discuss. Or maybe I

Re: Checkpoint IPS

>> `` ‘IPS’ devices require artificially-engineered topological symmetry- >> can have a negative impact on resiliency via path diversity.'' > >Dang, I thought this quote was from an April 1st RFC when I first read it. > >I hate to be the bearer of bad news, but everything we do is "artificial". >T

RE: Checkpoint IPS

On 5 Feb 2015, at 01:56, Michael Hallgren wrote: > Le 04/02/2015 17:19, Roland Dobbins a écrit : >> >> Real life limitations? >> https://app.box.com/s/a3oqqlgwe15j8svojvzl > > Right ;-) Among many other nice ones, I like: > > `` ‘IPS’ devices require artificially-engineered topological symmetry- >

Re: Checkpoint IPS

Le 05/02/2015 08:01, Roland Dobbins a écrit : > On 5 Feb 2015, at 13:51, Michael Hallgren wrote: > >> So, need another inspection strategy I think. > The real question is, why 'inspect', at all? Yes, that's an even more interesting discussion! mh > > --- > Roland

Re: Checkpoint IPS

On 5 Feb 2015, at 13:51, Michael Hallgren wrote: > So, need another inspection strategy I think. The real question is, why 'inspect', at all? --- Roland Dobbins

Re: Checkpoint IPS

Le 04/02/2015 17:19, Roland Dobbins a écrit : > On 2 Feb 2015, at 19:53, Michael Hallgren wrote: > >> Real life limitations? > Right ;-) Among many other nice ones, I like: `` ‘IPS’ devices require artificially-engineered topological symmetry- can have

Re: Checkpoint IPS

lto:m.hallg...@free.fr>> wrote: >> >> Hi, >> >> Someone has positive or negative experience running >> Checkpoint IPS cluster over ``long distance'' synch. >> network? Real life limitations? Alternatives? Timers? >>

Re: Checkpoint IPS

On 2 Feb 2015, at 19:53, Michael Hallgren wrote: > Real life limitations? --- Roland Dobbins

Re: Checkpoint IPS

On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren wrote: > Le 03/02/2015 16:21, Eugeniu Patrascu a écrit : > > On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren > wrote: > >> Hi, >> >> Someone has positive or negative experience running >> Checkpoint I

Re: Checkpoint IPS

Le 03/02/2015 16:21, Eugeniu Patrascu a écrit : > On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren <mailto:m.hallg...@free.fr>> wrote: > > Hi, > > Someone has positive or negative experience running > Checkpoint IPS cluster over ``long distance'&

Re: Checkpoint IPS

On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren wrote: > Hi, > > Someone has positive or negative experience running > Checkpoint IPS cluster over ``long distance'' synch. > network? Real life limitations? Alternatives? Timers? > > You can do "stretched"

Checkpoint IPS

Hi, Someone has positive or negative experience running Checkpoint IPS cluster over ``long distance'' synch. network? Real life limitations? Alternatives? Timers? Cheers, mh