[177758] in North American Network Operators' Group
RE: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Terry Baranski)
Thu Feb 5 07:57:58 2015
X-Original-To: nanog@nanog.org
From: "Terry Baranski" <terry.baranski.list@gmail.com>
To: <mh@xalto.net>,
<nanog@nanog.org>
In-Reply-To: <54D313EF.4080305@free.fr>
Date: Thu, 5 Feb 2015 07:57:47 -0500
Errors-To: nanog-bounces@nanog.org
On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
> Le 04/02/2015 17:19, Roland Dobbins a =E9crit :
>>
>> Real life limitations?
>> https://app.box.com/s/a3oqqlgwe15j8svojvzl
>
> Right ;-) Among many other nice ones, I like:
>
> `` =91IPS=92 devices require artificially-engineered topological =
symmetry-
> can have a negative impact on resiliency via path diversity.''
Dang, I thought this quote was from an April 1st RFC when I first read =
it.=20
I hate to be the bearer of bad news, but everything we do is =
"artificial".
There are no routers in nature, no IP packets, no fiber optics. There is =
no
such thing as "natural engineering" -- engineering is "artificial" by
definition.
So when you're configuring artificially-engineered protocols on your
artificially-engineered router so that your artificially-engineered =
network
can transmit artificially-engineered packets, adding some extra
artificially-engineered logic to enforce symmetry won't break the bank, =
I
promise. And when done properly it has absolutely no impact on =
resilience
and path diversity, and will do you all the good in the world from a
troubleshooting perspective (those of you who operate networks).
The whole presentation is frankly just odd to me. It looks at one =
specific
CND thread (DDoS), and attempts to address it by throwing out the baby =
with
the bathwater. It says to eliminate state at all costs, but then at the =
end
advocates for reverse proxies -- which are stateful, and which therefore
create the same "problems" as firewalls and IPSs.
The idea of ripping out firewall/IPS devices and replacing them with =
router
ACLs is something that, if I were an attacker, I would definitely =
encourage
all of my targets to do. Firewalls aren't so much the big issue -- one =
can
theoretically use router ACLs for basic L3/L4 blocks, though they scale
horribly from an O&M perspective, are more prone to configuration =
errors,
and their manageability is poor. But there's no overstating the =
usefulness
of a properly-tuned IPS for attack prevention, and the comment in the =
brief
comparing an IPS to "[Having] your email client set to alert you to =
incoming
mail" is so bizarre that I wouldn't even know how to counter it.
(I know you're out there Roland and my intention isn't to get into a big
thing with you. But the artificial-engineering thing gave me a chuckle.)
On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
> Le 05/02/2015 08:01, Roland Dobbins a =E9crit :
>>
>> The real question is, why 'inspect', at all?=20
>
> Yes, that's an even more interesting discussion!
Only if your assets aren't targets. :-)
-Terry
