On 5 Feb 2015, at 01:56, Michael Hallgren wrote:
Le 04/02/2015 17:19, Roland Dobbins a écrit :
Real life limitations? https://app.box.com/s/a3oqqlgwe15j8svojvzl
Right ;-) Among many other nice ones, I like:
`` IPS devices require artificially-engineered topological symmetry- can have a negative impact on resiliency via path diversity.''
Dang, I thought this quote was from an April 1st RFC when I first read it. I hate to be the bearer of bad news, but everything we do is "artificial". There are no routers in nature, no IP packets, no fiber optics. There is no such thing as "natural engineering" -- engineering is "artificial" by definition. So when you're configuring artificially-engineered protocols on your artificially-engineered router so that your artificially-engineered network can transmit artificially-engineered packets, adding some extra artificially-engineered logic to enforce symmetry won't break the bank, I promise. And when done properly it has absolutely no impact on resilience and path diversity, and will do you all the good in the world from a troubleshooting perspective (those of you who operate networks). The whole presentation is frankly just odd to me. It looks at one specific CND thread (DDoS), and attempts to address it by throwing out the baby with the bathwater. It says to eliminate state at all costs, but then at the end advocates for reverse proxies -- which are stateful, and which therefore create the same "problems" as firewalls and IPSs. The idea of ripping out firewall/IPS devices and replacing them with router ACLs is something that, if I were an attacker, I would definitely encourage all of my targets to do. Firewalls aren't so much the big issue -- one can theoretically use router ACLs for basic L3/L4 blocks, though they scale horribly from an O&M perspective, are more prone to configuration errors, and their manageability is poor. But there's no overstating the usefulness of a properly-tuned IPS for attack prevention, and the comment in the brief comparing an IPS to "[Having] your email client set to alert you to incoming mail" is so bizarre that I wouldn't even know how to counter it. (I know you're out there Roland and my intention isn't to get into a big thing with you. But the artificial-engineering thing gave me a chuckle.) On 5 Feb 2015, at 02:49, Michael Hallgren wrote:
Le 05/02/2015 08:01, Roland Dobbins a écrit :
The real question is, why 'inspect', at all?
Yes, that's an even more interesting discussion!
Only if your assets aren't targets. :-) -Terry