On Fri, 13 Feb 2015, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years.
The alternative is to understand what his network does, what it was designed to do, and what he needs it to do. The end solution (IPS, IDS, ASA, whatever you want to throw in) should be just that, an END solution once he has taken the time to assess risk. This is a concept many miss. As for "testing" ... So you own a house, you hire an assessor to analyze your property, write a report for you on your vulnerabilities. "You have 12 windows. OMFG Someone can break one of those windows and steal your family jewels!" Vendor gets paid and leaves you with a headache. 12 windows? So what... Behind those windows are a rabid pitbull I never feed. Wanna take a chance to break in? Pentest... "So you own a house, same windows, now you're paying someone to get in." Let me tell you how pentesting fails. Pentesting fails because most companies get all bent out of shapes based on Internet history of systems, and applications crashing from a simple network scan. Ask your next pentesting client (if this pentesting is your primary function) to allow you to perform a no-holds barred pentest including social engineering. You'll get the deer in headlights look. I discussed this recently with a client who wanted to be snarky: "Oh you'll never get in my systems" and I decided to inform him about reality... Reality: Hardcore attackers are NOT charging down the castle road with a log trying to break down the castle wall. They're sending client side attacks (phishing emails, waterhole attacks). It's more cost effective for an attacker to do this versus trying to defeat the router, the switching with all its VLAN glory (that gets vlan hoppped), the L7 firewalls, the load balancers, the IPS, and then the IPS. Its useless, noisy, and just not cost effective when you think about it. IPS, IDS does little because they're RARELY applied in a proper fashion. As for tinkering, geekiness. If you can't at least wrap your head around the concept, then I don't know why you'd want to be on this list. Further, IPS/IDS is better suited to be inverted (Extrusion Detection) as you WILL NEVER (CAN NEVER) stop someone from knocking on your door. So you block every APNIC block thinking "Phew I just blocked 100% of APTs" until you get whacked from a hosting company in the US. What have you accomplished? On the EXTRUSION side of the equation, knowing your network, and how it works makes more sense. Your focus gets shifted to the following logic: (rule) SHOW ME ANYTHING LEAVING MY NETWORK THAT IS OVER 1MB ON A SUNDAY MORNING 2AM ... This anomaly means a hell of a lot more than watching all of the internet trash that will hit your door (egree ifaces) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463