[177794] in North American Network Operators' Group
Re: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Terry Baranski)
Thu Feb 5 14:26:15 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <3923.1423154815@turing-police.cc.vt.edu>
Date: Thu, 5 Feb 2015 14:26:07 -0500
From: Terry Baranski <terry.baranski.list@gmail.com>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On 6 Feb 2015, at 11:46, Valdis Kletnieks wrote:
> Count up the number of *actual* attacks they have stopped
> that wouldn't have been stopped otherwise
Many.
> and contrast it
> to the number of times they've been used as the *basis* for
> an attack (DDoS via state exhaustion, for starters)
Zero, on my networks.
> or their failure has caused operational issues.
Zero, on my networks. Unless "operation issues" means traffic fails over
without a hitch.
> Still think they're a good idea?
Yep. And thanks for asking.
If you can't deploy IPS's in such a way that they don't make your network
less secure via DDoS susceptibility, or reduce availability due to
non-existent or subpar redundancy/survivability engineering, then you
shouldn't deploy IPS's.
-Terry
On Thu, Feb 5, 2015 at 11:46 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Thu, 05 Feb 2015 09:31:49 -0500, Terry Baranski said:
>
> > People tend to hear what they want to hear. Surely your claim can't be
> that
> > an IPS has never, in the history of Earth, prevented an attack or
> exploit.
> > So it's unclear to me what you're actually trying to say here.
>
> Count up the number of *actual* attacks they have stopped that wouldn't
> have been stopped otherwise, and contrast it to the number of times they've
> been used as the *basis* for an attack (DDoS via state exhaustion, for
> starters)
> or their failure has caused operational issues. Remember that one of the
> three security pillars is "Availability".
>
> Still think they're a good idea?
>
