[funsec] so, is I[dp]S a STUPID technology?

Aviram Jenik aviram at beyondsecurity.com
Tue Oct 11 17:48:27 CDT 2005

On Wednesday, 12 October 2005 00:13, Paul Schmehl wrote:
> What if I *do* have a vulnerability and the IPS blocked the attack? 

Then you're a very lucky guy and should go play the lottery. In this rare 
scenario the IPS is more up to date then your vulnerability scanner - this 
means you bought a crappy scanner. It also means there's a very good chance 
you're vulnerable to things your IPS *isn't* blocking, which means you have 
to re-think the way you're protecting your network.

> If you can recommend an *enterprise* capable vulnerability scanner (IOW one
> that I can schedule massive scanning events for a class A *and* class B
> network and then go look at the results when I have time) that doesn't cost
> more than my annual budget, then please do.  

I can, but I won't.

<trimmed a long rant about ISS and nessus>

I can't argue with your experience (I quite agree with it, actually). But just 
because you tried 2 bad tools and failed doesn't mean the idea is flawed - 
just that you need to search a little harder.
There's also a very good reason why you haven't heard of alternatives to ISS 
and nessus, but I really won't get into that. Enough holy wars for one day.

> We all 
> learn from each other because each of us have different skill sets and
> different exposures that color our outlooks.
True. This is what this discussion is about :-)
I don't claim to be objective, but I have seen enough success stories to 
convince me closing vulnerabilities (and not hiding behind a probability 
blocking system) is a very real scenario.

> In edu, I cannot guarantee you, even if I could five minutes ago, that I
> don't have vulnerabilities on my network.  

That's too bad. And this is what you should change. After you fix your 
vulnerabilities and after you *know* you're patched against the known 
problems, go ahead and buy an IPS (or any other candy you wish). Also, you'll 
finally have the time to play with its nice GUI :-)

> I could tell you stories, but you don't have the time, and neither do I.
> Suffice it to say that I'm vulnerable 100% of the time *somewhere* in my
> network, and I don't know it, because they *just* plugged the damn thing
> in.

On the risk of sounding re-re-re-redundant, this is what the VA tool's job is 
- to tell you what new vulnerable stations are suddenly there.

Sorry for getting all serious in funsec; it's all because of the approaching 
Yom Kippur (the Hebrew 'judgement day')...

- Aviram

More information about the funsec mailing list