Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Micheal Cottingham (techie.michealgmail.com)
Date: Sun Mar 01 2009 - 00:06:33 CST
I like to think that an IPS, regardless of what vendor you use, as a
"virtual patch." That is, it buys you some time until you can get
those lovely patches tested and rolled out over a 20k+ PC environment.
;) An IPS is not, and should not, be the be all and end all, which is
why in my earlier email I mentioned defense in-depth.
I absolutely think IPSs have their place in the enterprise, but
anybody that thinks IPSs are going to solve all their problems needs
to rethink their strategies. :)
On Fri, Feb 27, 2009 at 2:11 AM, Trygve Aasheim <trygvepogostick.net> wrote:
> I agree, and disagree.
> An IPS does a lot more than protect against exploits.
> And of course, all people should behave well, all developers should write
> secure code, all patches should be installed and everybody should respect
> eachother in traffic on their way to work.
> The world isn't like that, but it is a good thought.
> Users will always try "something", developers will always make mistakes from
> time to time, patches might not arrive in time to protect against threats
> (ref. Adobe these days) and the world is a place for people who think about
> themselves first. Sorry. But then...that might be a good thing. It's why we
> have a pay check ;)
> What can an IPS system give you?
> How about monitoring and blocking typical back connections from bots?
> Shellcode being sent over the network? The use of remote desktop tools from
> outside your network (logmein etc)? SSH over other ports than 22? A
> lightweight DLP solution? etc etc etc (a typical IPS usually have hundreds
> of different signatures/filters etc for stuff like this)
> I'm not saying that your points ain't valid, and this is not black/white -
> but an IPS is a lot more than just detecting exploit attempts.
> Danny Fullerton skrev:
>> Personally, from my experience,
>> IPS should not be the main technology to think of when in come to
>> improving security. I seen a lot more ROSI on getting better secure
>> development cycle, tight patching process and selecting more `secure by
>> design` technologies (memory protection, java instead of c++, avoid
>> Windows when possible, buy software from security oriented company and
>> do some pen test on those application, etc) then implementing those
>> complicated IPS system. For sure, an IPS might be a good thing if all
>> the above is already covered and you still have some money to invest but
>> it should not be the first thing to think of.