Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: IDS/IPS Solutions

  1. #11
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by Tiger Shark
    [B]SS2:



    Sorry, the "yawn" was directed at political correctness in general, not at you personally. I'm just getting a bit fed up of political correctness.... A spade is still a spade no matter what you call it.
    Undoubtledly, but screw it up and you will DoS yourself.... Been there....
    Goes without saying really.
    I'm about as far from PC as you can get. I'm afraid my point here was missed.


    Er.. The risk assessment should dictate the level of protection needed by a company and therefore it's cost. If we are talking about Joe's Bait Supply that has no "secrets" on the network, 4 workstations and no public services then an IDS is not warranted - A simple firewall blocking all external access is all that is really required along with automatic updating of patches immediately they come available and functional AV.

    You seem to be treating IDS an an essential item, which it is not. However, if it is warranted then the vast majority of the cost goes towards an admin capable of implementing, managing and interpreting the system. Fail to have that admin and the IDS becomes a nice anchor.
    Wait in your 1st post, you said
    "Some form of IDS is absolutely necessary."
    I don't remember saying saying anything was essential.


    That's a given. But our supervisors see our employees daily. They inform me if they have concerns about any given employee and they go on the "Watch List". I can't see your employees managing my IDS. I have no idea whether they are happy or not and I sure as hell can't monitor their activity..... Even though they have all the information they need to compromise my network. Sorry, but that contravenes the most basic rule of any kind of security - limit access and knowledge to _only_ those who require it. If you have secrets worth keeping then, from a security standpoint, you are better off hiring in a specialist than outsourcing and giving them the "keys".
    Limited access can be properly afforded to a contractor.
    EXAMPLE:
    Northrop Grumman is a contractor I do business with.
    They are a very large contractor doing businness with very large companies.
    We do work up there in Battlecreek for DLA/DLIS via NG
    Although you elude to ma and pa type of work, this is not my main point of reference.
    We do however try not to forsake the little guy.
    We will do honest business with whomever.

    You are in the business to make money.
    Yes and if I didn't have to work, I would be in Belize fishing my life away.
    While having to work, making money is a motivator. Guilty as charged.

    I'm sure if you scrutinized all the contracts you hold and the implementations you have in place you would admit that there are a good proportion of customers who have been "over-sold" your products.... Because you could....
    Oh jeeeze, not another contractor cliche...
    It's a mistake to presume you know me or how I do business.
    You often use words like "most".
    My turn.
    Most government agencies use contracted work. Very few direct hires
    Just becuase they are onsite does not mean they are not a contractor

    Most large companies use a percentage of contracted IT and that percentage is growing
    year to year.

    I have a stack of RFPs defining companies dis-satisfaction with their current internal IT staff and are desperate learn of alternatives.
    I am not saying and have never said contracting is better or worse, only that it's a reality of my life.

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    "God" boxes or all-in-one solutions, is the direction the industry is headed. Large acquisitions are being made because the feeling from the remaining vendors is that they can provide you with all of your needs in a "one stop shop" scenario. This personally peeves me but that's another story.

    That said, you can easily find yourself in a situation where you have a God box that is really good at blocking connections but is completely terrible when it comes to VPN access. This is normally the result of an acquisition of a middle of the road small VPN company and quickly slapping a well recognized name on the product. I call this the Tommy Boy syndrome. Those who remember the movie will understand the reference. Anyway, it takes time to work out the bugs in the product but meanwhile your entire security solution is wrapped up in this expensive POS.

    I do feel that IDS appliances (pure IDS appliances) have a place in the enterprise, but they should be structured to fit a tiered architecture. That is, they are one piece of your entire reporting solution. I like to mix vendors and I certainly don't mind the extra work if the solution is performing up to (or above) my expectations. Others will disagree, but hey, everyone has their preferred methodologies.

    What works and what does not: My personal experiences.

    IPS appliances that are set to run inline. To me, this is not exactly a nice way to structure an IPS. Most will fail open. Baaaaaaaaaad. Some will allow setting the default to fail closed. Baaaaaaad, if it is a choke point. You either expose yourself to attacks or your entire userbase is cut off from the outside world. Hmmmmm, which is worse? To combat this, we have found a way to protect the network using IPS technologies without disrupting normal processes. Though I can't disclose the details, those who are sharp know that failover and redundancy are certainly in the mix. Yes, we have more than one ISP here.

    Are IDS/IPS devices hyped? Yes. Just like anything else you see advertised, these devices are pitched to you as the second coming of Christ. Like any reasonable person does when engaged in personal purchases, you learn quickly how to cut through the hype and get right down to the meat and potatoes. Yes, they will produce false positives (though some vendors claim they don't). Yes, they will require upkeep even if the vendor says they "run by themselves".

    Bottom line: Network Security is a lot of work, if it weren't, none of us would be here/employed. Don't expect a free lunch because in this industry, the only thing that is free is the awful chochkies you find at trade shows
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Limited access can be properly afforded to a contractor.
    It's not the access that is the issue it's the unfettered access to information about the network and it's resources. In order to do your job you need to see every bit of traffic passing through the network or you aren't doing your job. Just that level of knowledge regarding the architecture and resources on the network is more information than needed to begin to effect a network compromise.

    I would be in Belize fishing my life away
    Ahh.... Belize.... That was a fun year.....

    Most government agencies use contracted work.
    And most Government agencies are completely "foxxed" up and have their heads up their ass.... Not a great example mate.... I am also quite well experienced at being asked to fix networks that have been run by contractors for the last 5 years or more. They are utter crap. The contractors do just sufficient to enable the network to function but they also don't document a damned thing. So when you need to make a change to the router you find that the contractor doesn't even know the damned password because it was an employee that has been replaced 3 times that implemented the thing 4 years ago and didn't document it. I'm sorry I don't have a glowing picture of contractors - I have had too much experience with them - I even had the consulting firm that was hired to select me by my current employer fired because they weren't up to snuff..... (Ernst and Young no less..... )

    As far as I am concerned there are plenty of places where contracting is a viable and useful tool for some people. I _am_ saying that contracting security is a no-no if you actually want security. If you have something that needs protecting then you either have to pay for the protection and do it properly or risk losing your business. If you go and contract because it is cheaper, (the usual reason), then you aren't paying proper attention to your risk assessment and you aren't being as secure as you could be simply because you are bringing other entities into the picture. The more complicated you make the issue the less secure it is. Adding a contractor is complicating the issue - there's no way around that.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by Tiger Shark


    And most Government agencies are completely "foxxed" up and have their heads up their ass.... Not a great example mate....
    Good points to be sure!!
    In fact just today I am killing myself over EDS's joke of security in an image build for a military Intranet workstation....It's ugly.
    When I see such folly, I turn it into opportunity.
    I'll not give up just yet. I'm not sure the wife will let me...lol

    Great debate...I enjoy your posts Tiger Shark

  5. #15
    Just a quick injection I'll offer here:

    Undoubtledly, but screw it up and you will DoS yourself.... Been there....
    As have I. Another important piont to make is that the IDS is useless if your IT staff doesn't master it. I'm speaking as one such IT person who hasn't mastered it, and am hoping to change that in the near future.

    Another point: The necessity of having an IDS, or any specific level of security for that matter, is dependant on your situation -- what you have to protect and how important it is. Case in point: my previous employer, the Little Rock Downtown Partnership, was a nonprofit that simply worked as a collaborator between various community entities to facilitate city development. That being the case, they didn't have much of anything that was mission-critical on their network, so security was pretty low, and an IDS would be overkill. Of course, now that I'm gone, they don't even have anyone IT.

    However, my current place of employment is one of the leading financial advising firms in this region of the country, so an IDS, I would think, should be of absolute importance (and we don't yet have one, something I'm going to work on). If our network was ever compromised, we would very much be in a heckuva lot of trouble.

    So, my case to make in short: the level of security necessary is entirely dependant on the importance/sensitivity of what's being secured.

    Ok...that wasn't quite so quick.

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    So, my case to make in short: the level of security necessary is entirely dependant on the importance/sensitivity of what's being secured.
    LOL. Also known as risk.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    Um...yeah...If you want to say it the "short" way.

  8. #18
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ahhh.... There's Hoss complicating the issue with those big words again....

    Whan you do a risk assessment you are really looking at your assets in terms of dollars. If you are a bank and you release your entire customer records to the world the potential dollar cost is equal to the entire worth of your bank insofar as when all your customers leave and take their money you have no bank. Thus the risk is equal to your entire company value. In this case you would need to spend sufficient money to ensure that the entire customer list doesn't "wander". Now obviously you don't want to spend all the shareholder's profits on securing the system but you do need to spend enough to ensure that your profit is protected, (not necessarily _all_ of it because some will be spent in protecting what's left but certainly enough to ensure that you continue to profit).
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #19
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yeah, you know me, I like to really stir up the pot...

    You have explained the commercial or capitalist risk model (nicely I might add). Non profit entities (such as Government) assesses risk based on potential damage to the entity or those it serves. Typically, money is replaced with legal liability or political exposure when calculating risk. Well, at least that's how it works in my world.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss:

    Yep, the way it works in the non-profit world is based upon the potential for loss of funding by funding sources or a loss of funding when the funding source either pays on a per "customer" basis or is the customers themselves are paying and no customers turn up because your reputation is so badly damaged.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •