Hi,
Someone has positive or negative experience running
Checkpoint IPS cluster over ``long distance'' synch.
network? Real life limitations? Alternatives? Timers?
Cheers,
mh
You can do "stretched" with Check Point as long as the network delay is
less than around 70-100 msec RTT or so. If you do this, run your firewalls
in Active/Standby modes.
Thanks Eugeniu, I see what you mean. The specific case I'm looking at is
about asymmetric routing, though.
Cheers,
mh
Firewalls/IPS and asymmetric routing don't play nice. Try to change your
setup/design so that traffic enters/leaves your network segments through
the same security device.
I know. However, I fail to see symmetric traffic flow as ``natural'',
apart from maybe at the extreme edge of a network. So, need another
inspection strategy I think.
Thanks,
mh
Le 04/02/2015 17:19, Roland Dobbins a �crit :
Real life limitations?
Right 
Among many other nice ones, I like:
`` �IPS� devices require artificially-engineered topological symmetry-
can have a
negative impact on resiliency via path diversity.''
Cheers,
mh
The real question is, why 'inspect', at all?
Le 05/02/2015 08:01, Roland Dobbins a �crit :
So, need another inspection strategy I think.
The real question is, why 'inspect', at all?
Yes, that's an even more interesting discussion!
mh
Real life limitations?
BoxRight
`` IPS devices require artificially-engineered topological symmetry-
can have a negative impact on resiliency via path diversity.''
Dang, I thought this quote was from an April 1st RFC when I first read it.
I hate to be the bearer of bad news, but everything we do is "artificial".
There are no routers in nature, no IP packets, no fiber optics. There is no
such thing as "natural engineering" -- engineering is "artificial" by
definition.
So when you're configuring artificially-engineered protocols on your
artificially-engineered router so that your artificially-engineered network
can transmit artificially-engineered packets, adding some extra
artificially-engineered logic to enforce symmetry won't break the bank, I
promise. And when done properly it has absolutely no impact on resilience
and path diversity, and will do you all the good in the world from a
troubleshooting perspective (those of you who operate networks).
The whole presentation is frankly just odd to me. It looks at one specific
CND thread (DDoS), and attempts to address it by throwing out the baby with
the bathwater. It says to eliminate state at all costs, but then at the end
advocates for reverse proxies -- which are stateful, and which therefore
create the same "problems" as firewalls and IPSs.
The idea of ripping out firewall/IPS devices and replacing them with router
ACLs is something that, if I were an attacker, I would definitely encourage
all of my targets to do. Firewalls aren't so much the big issue -- one can
theoretically use router ACLs for basic L3/L4 blocks, though they scale
horribly from an O&M perspective, are more prone to configuration errors,
and their manageability is poor. But there's no overstating the usefulness
of a properly-tuned IPS for attack prevention, and the comment in the brief
comparing an IPS to "[Having] your email client set to alert you to incoming
mail" is so bizarre that I wouldn't even know how to counter it.
(I know you're out there Roland and my intention isn't to get into a big
thing with you. But the artificial-engineering thing gave me a chuckle.)
`` ‘IPS’ devices require artificially-engineered topological symmetry-
can have a negative impact on resiliency via path diversity.''Dang, I thought this quote was from an April 1st RFC when I first read it.
I hate to be the bearer of bad news, but everything we do is "artificial".
There are no routers in nature, no IP packets, no fiber optics. There is no
such thing as "natural engineering" -- engineering is "artificial" by
definition.
You're forgetting that such things are rarely read (in time) by the people that actually implement and use such a product .. that language is targeted at the pointy-haired crowd.
Salespeople *hate* it when they get a technical resource instead of a management one because "it's magic, it's artificial intelligence, etc." just doesn't fly with us.
Personally I'm of the belief that *all* IPS systems are equally worthless, unless the goal is to just check a box on a form. Sure they will give you pretty graphs of script-kiddie attempts but that's just the noise in which the skilled attack will get lost. You have to do everything else right, you can't just plug the "magic box" inline and expect to relax.
My 0.02.
Michael Holstein
Cleveland State University
2
mh,
you know that forcing traffic to be symmetrical is evil, and while
backbone traffic and inspection don't play nice, there are very legit
reasons why, in many cases edge traffic must be open for inspection. I'm
on my way to the office, feel free to ping me if you want to discuss. Or
maybe I could use it as a reason to come visit its been a while since
we've had a chance to vis-a-vis 
-jim
Concur 100%.
Securing hosts/applications/services themselves is the way to protect them from compromise.
Like most tools, IPSes are only as good as the people using them.
+10 "you can't just plug the "magic box" inline and expect to relax"
IPSes can't replace a well administered modern firewall, with default deny, well defined protocols with sanity checking, etc. But imho they can help--e.g. with an internal well-protected network that shouldn't even be able to be attacked, but some dude picked up a usb key in the parking lot and plugged it into his PC to see what was on it. No firewall will help with this--but an IDS/IPS will.
And no box is magic (another +10), despite the marketing droids' nebulous talk of clouds and AI and harnessing the power of the nuclear-nano-crowd-source. They all need active attention by knowledgeable and intelligent people.
--p
Sure they will give you pretty graphs of script-kiddie attempts but
that's just the noise in which the skilled attack will get lost.
Sorry but this is not even in the neighborhood of what a
properly-implemented IPS does.
I can certainly see why you think they're worthless though. 
-Terry
" Securing hosts/applications/services themselves is the way to protect them from compromise."
Can't go wrong with defense in depth. I'd definitely throw securing routers in there, throw in firewalls, periodic internal scanning for idiot mistakes, audits, etc.
I still think IPS/IDSes can be wielded to good effect in several different scenarios--e.g. just before the core switch (or spanning the core switch) of a PCN network, alerting to anything going on intra vs. inter.
--p
I hate to be the bearer of bad news, but everything we do is "artificial". There are no routers in nature, no IP packets, no fiber optics. There is no such thing as "natural engineering" -- engineering is "artificial" by definition.
This isn't even worthy of comment, so I won't.
But there's no overstating the usefulness of a properly-tuned IPS for attack prevention
I've never heard a plausible anecdote, much less seen meaningful statistics, of these devices actually 'preventing' anything.
I have, however, run into many, many situations in which these devices demonstrably degraded the security posture of network operators, particularly when placed in front of servers or broadband access networks. For example, they're laughably easy to DDoS due to state exhaustion - which is what is the main point of the presentation you reference.
And the fact that well-known evasion techniques still work against these devices today, coupled with the undeniable proliferation of compromised hosts residing within networks supposedly 'protected' by these devices, militates against your proposition.
Le 05/02/2015 13:57, Terry Baranski a �crit :
Le 04/02/2015 17:19, Roland Dobbins a �crit :
Real life limitations?
BoxRight
`` �IPS� devices require artificially-engineered topological symmetry-
can have a negative impact on resiliency via path diversity.''Dang, I thought this quote was from an April 1st RFC when I first read it.
I hate to be the bearer of bad news, but everything we do is "artificial".
There are no routers in nature, no IP packets, no fiber optics. There is no
such thing as "natural engineering" -- engineering is "artificial" by
definition.So when you're configuring artificially-engineered protocols on your
artificially-engineered router so that your artificially-engineered network
can transmit artificially-engineered packets, adding some extra
artificially-engineered logic to enforce symmetry won't break the bank, I
promise. And when done properly it has absolutely no impact on resilience
and path diversity, and will do you all the good in the world from a
troubleshooting perspective (those of you who operate networks).
Depends on the underlying physical network... (which may be quite
costly to ``fix'').
mh
mh,
Hi there Jim
you know that forcing traffic to be symmetrical is evil,
Voilà !
and while backbone traffic and inspection don't play nice, there are
very legit reasons why, in many cases edge traffic must be open for
inspection.
Yes, right, often some such `control' is on wish-lists.
I'm on my way to the office, feel free to ping me if you want to
discuss. Or maybe I could use it as a reason to come visit its been
a while since we've had a chance to vis-a-vis
With pleasure! Yes, too long time... TTYS,
mh
Le 05/02/2015 14:28, Terry Baranski a �crit :
Sure they will give you pretty graphs of script-kiddie attempts but
that's just the noise in which the skilled attack will get lost.
No, Terry, I didn't write that !
Cheers,
mh