[Dshield] Security in Layers

Tony Earnshaw tonye at billy.demon.nl
Thu Mar 25 19:21:39 GMT 2004

tor, 25.03.2004 kl. 15.31 skrev john beck:

> Did any see the MS webinar on pen testing yesterday?

No, sorry.

>   The expert, Jesper M. 
> Johansson, Ph.D manager of security business unit at microshaft, said that 
> IDS and IPS are not effective and cause more complexity and problems than 
> they are worth and recommends not deploying.

As Johannes U. has recently pointed out, you have to get to know your
software. Like you don't get to become a Unix mailadmin or Openldap
administrator by "pointing and clicking". Jesper M. Johansson is utterly
right in his chosen context: Microsoft Windows. In that, as he points
out, pointing and clicking don't have much to do with solving IDS
problems. Furthermore, most Microsoft-approved (?) IDS software for
Windows costs an arm and a leg. So few sites can afford it. So there's
no money for training, so it is not effective.

>   He points out, and it was not 
> in presentation but in questions afterwards, for example an IPS blocking a 
> known bad "get process" but doen't block the wrapper of the get process, I 
> did not catch the name, but could look it up, therefor allowing it through.  
> I was surprised to hear him say that about ids/ips.  I did not get to 
> question, but if you don't police the wire how do you know when there is 
> malicious activities going on?  I assume the good doctor is not a member of 
> SANS:)

Would be interesting to know what Microsoft people contribute actively
to SANS/GIAC. I'd guess at infinitely many (0/1). I suppose the reason
would be, that SANS/GIAC is there for the community. Which Microsoft is
not: Microsoft is there for Microsoft and to make money, whatever the
bloody community might profit from anything whatsoever. Nah, I'm not
/anti/-Microsoft as such, purely /for/ the community. Being both would
be an anachronism, an oxymoron and against my religious beliefs ("heaven
is a cat lying on you head, your head on the pillow, purring while
you're trying to get some sleep").



mail: billy - at - billy.demon.nl

More information about the list mailing list