Sorry to say, but that big telecom company sounds like it may be the one that
lets all the SQL Slammer, aspROX, PHP Includes, and many other attacks hit my
IPS inbound, where they are stopped.
An IPS is a critical component of defense-in-depth. It's not a magic box that
can be installed with default filters. It takes daily attention from a
trained network security analyst who does threat analysis and tunes the device
to protect against the attacks that it can best detect.
Anything beyond the capabilities of the firewall and IPS call for network
traffic analysis and anomaly detection.
As far as ROI is concerned, I agree with the other writers about 'no such
thing' and the fine writings of Mr. Betjlich. Let me ask you this; what's the
ROI on flood insurance, hurricane insurance, insurance on company vehicles, or
even vehicle inspections and registration?
Ask TJX, Heartland, and all the other victims of major intrusions about the
ROI of looking like complete morons for not spending enough on trained,
professional network security analysts and giving them the tools they need to
do their job.
You want examples of attacks that any good IPS can block?
Most SQL injection attacks.
Most PHP attacks.
Vulnerable PDF, activex, and document transmission.
Bad network traffic.
Many buffer overflow attacks.
Many zero-day or emerging threats.
Most cross-site scripting.
Many, many platform specific vulnerabilities.
They're not perfect, but I sure wouldn't want to do without mine.
Ravi Chunduru wrote:
I was talking to a junior security administartor working for a big
telecom company. He said something which is worrying. After few
years of IPS deployment in particular department, they decided to
remove IPS devices. It was felt that they did not find enough ROI to
justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and
reports. It apperas that no major incidents were detected by network
IPS devices. they felt that signature coverage is either poor or not
timely. i also was told that these IPS devices are from industry
leaders.
Can you share your experiences? Any examples of successful detection
and prevention of major attacks and penetration by IPS devices.
Thanks
Ravi
