Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS\IPS that can handle one Gig

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: IDS\IPS that can handle one Gig
Date: Tue, 07 Jun 2005 15:59:24 -0500 
On Tue, 2005-06-07 at 21:06 +0530, Control Zed wrote:

Sometimes it may not be possible to patch critical servers simply
because you can't afford the downtime or you don't know if the patches
would break other critical applications or software.


If downtime is important, surely there are redundancies in place. You
should be able to take one set, patch it, verify it, and put it back in
production, and then repeat the same with the second set. (Of course you
have the whole thing already tested in your test environment...right?)

Any company that does not have the capability of working on one half of
a redundant setup, or doesn't even have a redundant setup, doesn't have
a test-bed, still hasn't properly addressed handling critical servers or
dealing with redundancy and downtime issues. Shops without redundant
capabilities have other problems that need to be addressed first. After
all, availability is an important leg of most security mantras.


 So if you know
the vulnerability and the way it can be exploited, you can protect it
till you can find time to patch it. Nothing wrong in this approach.


Except for "finding time". 

The risk is that people will brush applying patches aside to deal with
other more important issues (like fixing non-redundant servers). It's
the same thing with input validation during code development. Yeah,
developers know about it, but they just don't have the time to properly
implement it. I think relying on IPSes to buy time for patch
installation will do the same thing. Why patch today when you can wait a
month and roll up several patches at once?

Peter and Vikram were referring to finding a balance between these VM
and IPS. However, it is not an either-or situation. If you have an IPS
in place, and even if you don't have any vulnerability management
software in place, you still have to balance the patching issue.

I'm just highlighting the danger that if you have one or both in place,
people might become complacent with actually fixing the vulnerabilities.

If you don't have to right away, but could patch systems at your
leisure, would you do it?
If you don't have to right away, but could implement input validation
after the fact, would you do it?

Principle and "correctness" get often compromised for $EXCUSE. 

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS\IPS that can handle one Gig, Barrett G.Lyon
Next by Date:  Re: IDS\IPS that can handle one Gig, Terry Vernon
Previous by Thread:  Re: IDS\IPS that can handle one Gig, Control Zed
Next by Thread:  Re: IDS\IPS that can handle one Gig, Terry Vernon
Indexes:  [Date] [Thread] [Top] [All Lists]