On Wed, Feb 17, 2010 at 10:59:05PM -0500, Jason Beaudoin wrote:
quoted text
> As I often have greater respect for a much larger portion of this list
> than the rest of the internet, I am curious what is thought about
> current IDS/IPS hardware from vendors like Trustwave, Checkpoint,
> Alert Logic, mod_security, even snort.. etc, and in particular, the
> sensibility and effectiveness of using them in high-security
> environments.

They're very-overpriced junk.

Let me explain why.

First, if you're using a good firewall (like pf on OpenBSD) and you've
configured it sensibly (read: default deny-all, bidirectionally) and
you've done the other things that good network and system design tell
you to do, then you've done far more for your operation's security
than any of these overpriced overhyped devices will do for you.

Don't forget the value of application-aware proxies behind a
stateful packet filter.

And don't forget to drop packets to/from as much of the Internet
as you can -- see ipdeny.com.  (Do you *really* need to allow incoming
port 22 connections from Korea?  Peru?  the US?)  Also use the Spamhaus
DROP list in your perimeter devices *and* in onboard firewalls just in
case there's a configuration screwup.  Once you've done this, you
can fret a lot less about what particular SQL injection attack is
being carried via HTTP...because you're not even allowing [most of]
the packets to get anywhere near a web server.

Second, these devices are guaranteed to fail when you'll need them most:
when an attack comes that they don't have a signature for, won't recognize,
and won't stop.  (And please don't anyone tell me that this won't happen:
the Bad Guys can test against them, too, you know.)  See Marcus Ranum's
"Six Dumbest Ideas in Computer Security" and note #2: "Enumerating
Badness", which is expounds the fundamental error that all these devices
make.  Quoting Ranum:

	One clear symptom that you have a case of "Enumerating Badness"
	is that you've got a system or software that needs signature
	updates on a regular basis, or a system that lets past a new
	worm that it hasn't seen before.

Yeah.  Like that.

Third, any sufficiently determined attacker will either bypass or elude
these devices.  I don't know where you are, what your operation is, etc.,
but I'll bet that if I *really* wanted to get inside it, that handing
out free USB memory sticks (with your company's logo on them) to your
colleagues in the parking lot would be enough to gain a foothold.
So rather than buying one of these, I think a much more prudent step
would be to install *internal* firewalls that treat end-user systems
as untrusted.

To put it another way: your own users are easily the biggest threat.
Presume that they are either apathetic, idiotic, or actively hostile,
and defend accordingly.

---Rsk