On 6 Feb 2015, at 1:40pm, Roland Dobbins wrote: > *Real* security mostly consists of *doing things*. It requires skilled, experienced > people who have both broad and deep expertise across the entire OSI model, are > well-versed in architecture and the operational arts, and who understand all the > implications of scale.
And if there's one person qualified to comment on what "real security" is, it's a person who has "never heard a plausible anecdote of [IPS] devices actually 'preventing' anything." :-) -Terry On Thu, Feb 5, 2015 at 1:40 PM, Roland Dobbins <rdobb...@arbor.net> wrote: > > On 6 Feb 2015, at 1:26, Matthew Huff wrote: > > Like it's been said before, I strongly support my competitors following >> your advice. >> > > Sorry - I've done the jobs, all of them. They can be done properly, and > are done properly by clueful operators. > > Oh, and what are operators who deploy these things supposed to do about > *vulnerabilities in these devices themselves*? That's a huge problem, they > present a juicy attack surface, and exploits are discovered regularly. > That's in the presentation, as well. > > I've heard these same tired arguments over and over again. Folks tend to > change their tune when their entire production infrastructure is rendered > unavailable by a tiny DDoS which could be sourced from a single smartphone; > it's just sad that so many are only ready to listen and learn after they've > suffered serious production-impacting outages. > > If all it took to achieve *real* security - as opposed to 'compliance' or > vendor marketing 'security' - were to write a check or cut a P.O. and drop > some middlebox/middleblade in the network, we wouldn't be in the permanent > state of security emergency in which we find ourselves. > > *Real* security mostly consists of *doing things*. It requires skilled, > experienced people who have both broad and deep expertise across the entire > OSI model, are well-versed in architecture and the operational arts, and > who understand all the implications of scale. > > Unfortunately, such people are relatively rare, even within the > self-selected ranks of network operators - as several posts on this thread > clearly demonstrate. > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> >