Hi Rich!


On Fri, Feb 19, 2010 at 7:52 AM, Rich Kulawiec <rsk@gsp.org> wrote:
quoted text
> On Wed, Feb 17, 2010 at 10:59:05PM -0500, Jason Beaudoin wrote:
>> As I often have greater respect for a much larger portion of this list
>> than the rest of the internet, I am curious what is thought about
>> current IDS/IPS hardware from vendors like Trustwave, Checkpoint,
>> Alert Logic, mod_security, even snort.. etc, and in particular, the
>> sensibility and effectiveness of using them in high-security
>> environments.
>
> They're very-overpriced junk.

I'm not going to argue, and this discussion has certainly brought up a
few good points which enumerate why, I had just been hoping that the
investment spent would not go towards hardware or a crap system, as
much as the service of having someone looking over the information.

quoted text
> Let me explain why.
>
> First, if you're using a good firewall (like pf on OpenBSD) and you've
> configured it sensibly (read: default deny-all, bidirectionally) and
> you've done the other things that good network and system design tell
> you to do, then you've done far more for your operation's security
> than any of these overpriced overhyped devices will do for you.

agreed, my situation isn't one with overall flexibility - an IDS/IPS
is a compliance requirement, but I don't really see a commercial
solution fitting my network so much any more.

quoted text
> Don't forget the value of application-aware proxies behind a
> stateful packet filter.

yes, I am considering mod_security for this, though I'm still trying
to determine how to best organize it, as I just put in an nginx proxy.


quoted text
> And don't forget to drop packets to/from as much of the Internet
> as you can -- see ipdeny.com.  (Do you *really* need to allow incoming
> port 22 connections from Korea?  Peru?  the US?)  Also use the Spamhaus
> DROP list in your perimeter devices *and* in onboard firewalls just in
> case there's a configuration screwup.  Once you've done this, you
> can fret a lot less about what particular SQL injection attack is
> being carried via HTTP...because you're not even allowing [most of]
> the packets to get anywhere near a web server.

Definitely great suggestions - and while our client-base is
international, and we do travel, I can still use this selectively and
it makes sense to do even with the added overhead to maintain.

quoted text
> Second, these devices are guaranteed to fail when you'll need them most:
> when an attack comes that they don't have a signature for, won't recognize,
> and won't stop.  (And please don't anyone tell me that this won't happen:
> the Bad Guys can test against them, too, you know.)  See Marcus Ranum's
> "Six Dumbest Ideas in Computer Security" and note #2: "Enumerating
> Badness", which is expounds the fundamental error that all these devices
> make.  Quoting Ranum:
>
>        One clear symptom that you have a case of "Enumerating Badness"
>        is that you've got a system or software that needs signature
>        updates on a regular basis, or a system that lets past a new
>        worm that it hasn't seen before.
>
> Yeah.  Like that.

Indeed. see the ref below

quoted text
> Third, any sufficiently determined attacker will either bypass or elude
> these devices.  I don't know where you are, what your operation is, etc.,
> but I'll bet that if I *really* wanted to get inside it, that handing
> out free USB memory sticks (with your company's logo on them) to your
> colleagues in the parking lot would be enough to gain a foothold.
> So rather than buying one of these, I think a much more prudent step
> would be to install *internal* firewalls that treat end-user systems
> as untrusted.

Here's a great article that exemplifies the results:
http://www.informationweek.com/blog/main/archives/2010/02/another_massive.htm
l


quoted text
> To put it another way: your own users are easily the biggest threat.
> Presume that they are either apathetic, idiotic, or actively hostile,
> and defend accordingly.
>
> ---Rsk
>
>

indeed, hence the challenge. thank you for sharing!

~Jason