Rothman makes the following comment about IPS:
Personally, I think it’s a pipe dream. The market has voted most IPS blocking off the island, opting instead to block maybe 2-3% of the applicable rules and monitor the rest. What makes us think, that even over a reasonable planning horizon (5-7 years), that detection will become granular and accurate enough to actually do this kind of automated blocking?
When your buddy is slumbering soundly on the couch, he unconsciously moves or swats the fly lightly landing on his cheek. Watching this a couple times leads to the brilliant idea to fill that hand with shaving cream and tickle his cheek so the automatic reaction results in a face full of cream. That’s my analogy on the issue with most IPS rules. I’m not anti-IPS or automatic blocking, but I am anti-dumb-unconscious-blocking which, as Rothman says, only works for a stupidly small set of triggers, yet.
One thought on “do not slap shaving cream on your firewall box”
Effectively deploying just a few of these ‘dumb-unconscious-blocking’ rules can be extremely beneficial.
Case in point; block all P2P protocols and any IRC /join and /nick commands, regardless of port used. These two categories alone will significantly drop the number and effectiveness of bots that makes it inside your network and use P2P or IRC for command and control.
And if your IPS has solid rules to protect against IE attacks, you’re doubly rewarded in my opinion. Where I work, 80 – 90% of our incident response is for IE compromises. Since deploying IPS technology, we’re seeing a recorded drop in that figure.
IPS isn’t a panacea but neither is the coveted firewall. But when properly deployed together, they are a hard hitting 1-2 punch combo.
I *heart* my IPS. =)
Comments are closed.