[177762] in North American Network Operators' Group
RE: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Darden, Patrick)
Thu Feb 5 08:28:04 2015
X-Original-To: nanog@nanog.org
From: "Darden, Patrick" <Patrick.Darden@p66.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 5 Feb 2015 13:25:59 +0000
In-Reply-To: <1423142005906.59768@csuohio.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Like most tools, IPSes are only as good as the people using them.
+10 "you can't just plug the "magic box" inline and expect to relax"
IPSes can't replace a well administered modern firewall, with default deny,=
well defined protocols with sanity checking, etc. But imho they can help-=
-e.g. with an internal well-protected network that shouldn't even be able t=
o be attacked, but some dude picked up a usb key in the parking lot and plu=
gged it into his PC to see what was on it. No firewall will help with this=
--but an IDS/IPS will.
And no box is magic (another +10), despite the marketing droids' nebulous t=
alk of clouds and AI and harnessing the power of the nuclear-nano-crowd-sou=
rce. They all need active attention by knowledgeable and intelligent peopl=
e.
--p
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Michael O Holstei=
n
Sent: Thursday, February 05, 2015 7:13 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Checkpoint IPS
<clip>
Personally I'm of the belief that *all* IPS systems are equally worthless, =
unless the goal is to just check a box on a form. Sure they will give you p=
retty graphs of script-kiddie attempts but that's just the noise in which t=
he skilled attack will get lost. You have to do everything else right, you =
can't just plug the "magic box" inline and expect to relax.
<clip>
Michael Holstein
Cleveland State University
2
