[177795] in North American Network Operators' Group
Re: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Terry Baranski)
Thu Feb 5 14:29:47 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <520EE96E-4248-4490-8981-996BFFC597DC@arbor.net>
Date: Thu, 5 Feb 2015 14:29:39 -0500
From: Terry Baranski <terry.baranski.list@gmail.com>
To: Roland Dobbins <rdobbins@arbor.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 6 Feb 2015, at 1:40pm, Roland Dobbins wrote:
> *Real* security mostly consists of *doing things*. It requires skilled,
experienced
> people who have both broad and deep expertise across the entire OSI
model, are
> well-versed in architecture and the operational arts, and who understand
all the
> implications of scale.
And if there's one person qualified to comment on what "real security" is,
it's a person who has "never heard a plausible anecdote of [IPS] devices
actually 'preventing' anything." :-)
-Terry
On Thu, Feb 5, 2015 at 1:40 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
>
> On 6 Feb 2015, at 1:26, Matthew Huff wrote:
>
> Like it's been said before, I strongly support my competitors following
>> your advice.
>>
>
> Sorry - I've done the jobs, all of them. They can be done properly, and
> are done properly by clueful operators.
>
> Oh, and what are operators who deploy these things supposed to do about
> *vulnerabilities in these devices themselves*? That's a huge problem, they
> present a juicy attack surface, and exploits are discovered regularly.
> That's in the presentation, as well.
>
> I've heard these same tired arguments over and over again. Folks tend to
> change their tune when their entire production infrastructure is rendered
> unavailable by a tiny DDoS which could be sourced from a single smartphone;
> it's just sad that so many are only ready to listen and learn after they've
> suffered serious production-impacting outages.
>
> If all it took to achieve *real* security - as opposed to 'compliance' or
> vendor marketing 'security' - were to write a check or cut a P.O. and drop
> some middlebox/middleblade in the network, we wouldn't be in the permanent
> state of security emergency in which we find ourselves.
>
> *Real* security mostly consists of *doing things*. It requires skilled,
> experienced people who have both broad and deep expertise across the entire
> OSI model, are well-versed in architecture and the operational arts, and
> who understand all the implications of scale.
>
> Unfortunately, such people are relatively rare, even within the
> self-selected ranks of network operators - as several posts on this thread
> clearly demonstrate.
>
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
>
