[177787] in North American Network Operators' Group
RE: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu Feb 5 13:26:27 2015
X-Original-To: nanog@nanog.org
From: Matthew Huff <mhuff@ox.com>
To: Roland Dobbins <rdobbins@arbor.net>, "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 5 Feb 2015 18:26:18 +0000
In-Reply-To: <23BD3BAB-AC30-4D4C-8A96-B4CEA39A610D@arbor.net>
Errors-To: nanog-bounces@nanog.org
You make so many assumptions, it completely negates any reasonable point yo=
u are trying to make:
> There are other ways (reverse proxies, on-box systems like ModSecurity,=20
> et. al.); or take them offline.
What if the box isn't Linux? What if it isn't a web server. What if proxies=
don't work well with the protocol the boxes uses. What if it's an applianc=
e a business unit made you setup. There a thousands of permutations like th=
at. Many times you don't get to make the correct choices, you have to work =
with what you have. Any IPS, statefull firewall, application level gateways=
, proxies, etc. have their places.
In a content provider network (facebook, etc...) only using stateless prote=
ction because of massive DDOS is a reasonable argument. But like I said, on=
e size doesn't fit all, or in this case, many.
Like it's been said before, I strongly support my competitors following you=
r advice.
----
Matthew Huff=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 | 1 Manhattanville Rd
Director of Operations=A0=A0=A0| Purchase, NY 10577
OTA Management LLC=A0=A0=A0=A0=A0=A0 | Phone: 914-460-4039
aim: matthewbhuff=A0=A0=A0=A0=A0=A0=A0 | Fax:=A0=A0 914-694-5669
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Roland Dobbins
Sent: Thursday, February 5, 2015 1:11 PM
To: nanog@nanog.org
Subject: Re: Checkpoint IPS
On 6 Feb 2015, at 0:55, Matthew Huff wrote:
> What if you are a hosting company and those aren't your servers to=20
> patch?
Then it isn't the operator's problem.
> What about the time to patch 200+ servers versus configuring one=20
> location?
Operators should have sufficient automation to do this quickly. If not,=20
they're Doing It Wrong.
> What if you have to schedule the staff and maintenance window to patch=20
> the servers?
See above.
> What if you have legacy equipment that you must continue using, but=20
> the vendor is slow to provide the patch.
There are other ways (reverse proxies, on-box systems like ModSecurity,=20
et. al.); or take them offline.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
