Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] lots of monkeys staring at a screen....security?
From: Jan Münther (jan.muenthernruns.com)
Date: Sun Oct 29 2006 - 11:35:10 CST
> I might be missing something, but I really don't get why we should care
> about all those "simplistic old attacks" - shouldn't we already be
> immune to them?
Of course we should.
What I see "out there" on a daily basis speaks a different language, though.
I've had a longer discussion with a client about IDS/IPS not too long
ago, my standpoint being that it's generally futile.
His position was a bit different, simply because they were expecting
something else from their IPS than the miracles the vendors promise.
They basically use it for essential network hygiene, keeping users in
one network from infecting others in a different segment. So yeah, they
essentially use it as a means of network segregation, which I didn't
find superfluous at all (granted, that is only interesting given a
certain network size, and theirs is huge).
One of the funnier stories was some colleagues of mine owning a client
backwards and forwards, and then, in the concluding final meeting, one
of the execs asked whether one of those IDS systems would have helped.
Then, one of the techies slowly raised his hand and said "Uhm... we do
have one of those.".
I also remember doing some pen tests where one of the explicit purposes
was to test the reaction of managed IDS providers. Apart from one (which
was a false alarm), they all never reacted.
One thing with IDS/IPS is of course these things need to parse pretty
much every protocol under the sun. This of course opens great attack
vectors, and there has even been a worm going at the ISS appliances and
host software (the engine was the same on all of them), of which I heard
took out at least one entire company (as in out of business).
That is something I find slightly ironic: Particularly IPS are often
strategically placed within the DMZs, directly before the crucial
servers. Now, if your IPS is vulnerable, and it gets pwned, the attacker
is right where he/she wants to be.
Dailydave mailing list