Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection
From: Nelson Brito <nbrito () sekure org>
Date: Tue, 1 Jun 2010 11:49:28 -0300

I still keep in capital: anyone MUST deploy Host IPS when adopting  
Network IPS. If you don't do so you MUST keep in mind that you are  
just approaching some threads, even because Host and Network IPS have  
different approaches.

Otherwise you will THINK you're protected... But nobody can guarantee  
that.

Regarding the aquisition of those solutions, of course it cannot be  
done without a deep looking inside the corporate, but it doesn't mean  
you don't have to...

When you decided to aquire a security solution you have to be careful  
and have well designed criterias to do so, but, again, it doesn't mean  
you don't have to aquire them.

About the known and unknown threads, I will not enter into this,  
because it is kind of a phylosofical discussion.

Cheers.

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG® SQL Fingerprint™ downloading it  
from Google Code (http://code.google.com/p/mssqlfp/) or from  
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an  iPhone wireless device. Please, forgive any potential  
misspellings!

On Jun 1, 2010, at 11:20 AM, "Cor Rosielle" <cor () outpost24 com> wrote:

Nelson,

I put my comments inline as well

Regards, Cor

...snip...
Nelson,

You're missing one point: Host IPS MUST be deployed with any  
Network
Security (Firewalls os NIPSs).
Please be aware this is a risk decision and not a fact. I don't use
an host IPS and no anti Virus either. Still I'm sure my laptop is
perfectly safe. This is because I do critical thinking about
security measures and don't copy behavior of others (who often don't
think for themselves and just copies other peoples behavior). Please
note I'm not saying you're not thinking. If you did some critical
thinking and an host IPS is a good solution for you, then that's OK>
It just doesn't mean it is a good solution for everybody else and
everybody MUST deploy an host IPS.

That's so 1990! NIPS and/or Firewall just protect you if you're  
inside
the "borders"... But, come on. Who doesn't have a laptop nowadays?  
So,
multiple protection layers is better than none, anyways.

Even one layer is better than none :-). Multiple layers are even  
better, especially when they are different types of protection. But  
applying security without thinking is bad. Even if you have enough  
money and hardware to spent, you should at least think about the  
balance between the amount security you get and the amount of risk  
you run when installing another piece of software. Then you can  
decide if it is worth the money or hardware you need to spend.

You have choices when adopting a security posture or, if you prefer,
risk posture. I believe that it's quite difficult and almost
impossible you stay updated with all the threads, due to exponential
growth of them.
You have a point here. That's why it is better not to base security  
on defenses to known and existing threats alone, but use defense  
mechanisms that protect you both against known and existing threats  
and against unknown and future threats as well. I can't help to  
mention the OSSTMM again, because this is pretty much what it is  
about.

No security solution/technology is the miracle protection alone,
That's true.

so that's the reason everybody is talking about defense in depth.
Defense in depth is often used for another line of a similar defense
mechanism as the previous already was. Different layers of defense
works best if the defense mechanism differ. So if you're using anti
virus software (which gives you an authentication control and an
alarm control according to the OSSTMM), then an host IDS is not the
best additional security measure (because this also gives you an
authentication and an alarm control).

Woowoo.. I cannot agree with you, because AV has nothing to do
protecting end-point against network attacks. AV will alert and
protect only when the thread already reached your end-point. Besides,
there are other layers, such as: buffer overflow protection inside
HIPS. Look that I am not talking abous IDS. 8)
Sure you're right about that. There is a lot of other threats AV  
doesn't protect you to. Just like an IPS doesn't protect you against  
all threats. But that doesn't mean it is a wise decision to install  
each and every part of security software you can get, because  
software comes with costs and risks too. This is true for IPS's too.


This would also be a risk decision, but based on facts and the rules
defined in the OSSTMM and not based on some marketing material. You
should give it a try.

It always is a risk decision, and I not basing MHO on any "standard",
that's based on my background... And, AFAIK, nodoby can expect that
users and/or server systems will be able to apply all or any update  
in
a huge environment.


Of course you don't have to agree, but I think it is better to be  
critical about the software you install. And if you don't agree and  
rather spend your money on things that were useful for someone else  
at another time and under different circumstances, then just do  
that. But I wish you wouldn't write that others must (you wrote it  
even in capitals) deploy an IPS.

Regards,
Cor


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault