[funsec] so, is I[dp]S a STUPID technology?
aviram at beyondsecurity.com
Tue Oct 11 17:48:27 CDT 2005
On Wednesday, 12 October 2005 00:13, Paul Schmehl wrote:
> What if I *do* have a vulnerability and the IPS blocked the attack?
Then you're a very lucky guy and should go play the lottery. In this rare
scenario the IPS is more up to date then your vulnerability scanner - this
means you bought a crappy scanner. It also means there's a very good chance
you're vulnerable to things your IPS *isn't* blocking, which means you have
to re-think the way you're protecting your network.
> If you can recommend an *enterprise* capable vulnerability scanner (IOW one
> that I can schedule massive scanning events for a class A *and* class B
> network and then go look at the results when I have time) that doesn't cost
> more than my annual budget, then please do.
I can, but I won't.
<trimmed a long rant about ISS and nessus>
I can't argue with your experience (I quite agree with it, actually). But just
because you tried 2 bad tools and failed doesn't mean the idea is flawed -
just that you need to search a little harder.
There's also a very good reason why you haven't heard of alternatives to ISS
and nessus, but I really won't get into that. Enough holy wars for one day.
> We all
> learn from each other because each of us have different skill sets and
> different exposures that color our outlooks.
True. This is what this discussion is about :-)
I don't claim to be objective, but I have seen enough success stories to
convince me closing vulnerabilities (and not hiding behind a probability
blocking system) is a very real scenario.
> In edu, I cannot guarantee you, even if I could five minutes ago, that I
> don't have vulnerabilities on my network.
That's too bad. And this is what you should change. After you fix your
vulnerabilities and after you *know* you're patched against the known
problems, go ahead and buy an IPS (or any other candy you wish). Also, you'll
finally have the time to play with its nice GUI :-)
> I could tell you stories, but you don't have the time, and neither do I.
> Suffice it to say that I'm vulnerable 100% of the time *somewhere* in my
> network, and I don't know it, because they *just* plugged the damn thing
On the risk of sounding re-re-re-redundant, this is what the VA tool's job is
- to tell you what new vulnerable stations are suddenly there.
Sorry for getting all serious in funsec; it's all because of the approaching
Yom Kippur (the Hebrew 'judgement day')...
More information about the funsec