[Dshield] Security in Layers
tonye at billy.demon.nl
Thu Mar 25 19:21:39 GMT 2004
tor, 25.03.2004 kl. 15.31 skrev john beck:
> Did any see the MS webinar on pen testing yesterday?
> The expert, Jesper M.
> Johansson, Ph.D manager of security business unit at microshaft, said that
> IDS and IPS are not effective and cause more complexity and problems than
> they are worth and recommends not deploying.
As Johannes U. has recently pointed out, you have to get to know your
software. Like you don't get to become a Unix mailadmin or Openldap
administrator by "pointing and clicking". Jesper M. Johansson is utterly
right in his chosen context: Microsoft Windows. In that, as he points
out, pointing and clicking don't have much to do with solving IDS
problems. Furthermore, most Microsoft-approved (?) IDS software for
Windows costs an arm and a leg. So few sites can afford it. So there's
no money for training, so it is not effective.
> He points out, and it was not
> in presentation but in questions afterwards, for example an IPS blocking a
> known bad "get process" but doen't block the wrapper of the get process, I
> did not catch the name, but could look it up, therefor allowing it through.
> I was surprised to hear him say that about ids/ips. I did not get to
> question, but if you don't police the wire how do you know when there is
> malicious activities going on? I assume the good doctor is not a member of
Would be interesting to know what Microsoft people contribute actively
to SANS/GIAC. I'd guess at infinitely many (0/1). I suppose the reason
would be, that SANS/GIAC is there for the community. Which Microsoft is
not: Microsoft is there for Microsoft and to make money, whatever the
bloody community might profit from anything whatsoever. Nah, I'm not
/anti/-Microsoft as such, purely /for/ the community. Being both would
be an anachronism, an oxymoron and against my religious beliefs ("heaven
is a cat lying on you head, your head on the pillow, purring while
you're trying to get some sleep").
mail: billy - at - billy.demon.nl
More information about the list