Cisco Blogs


Cisco Blog > Security

IPS Isn’t Magic — But That’s Okay

In this post we will be building on the ideas covered in my previous post, Whales and IDS, and discussing how striving for the possible, not the perfect, is a valuable direction to take; not just with IPS, but with management and monitoring alerts from IDS too.

At Cisco, my team (Cisco CSIRT) is responsible for investigations into any cyber attacks against Cisco.com. Back when we first deployed IDS, we found that hundreds of IPs from all over the world were attacking us all the time. Right now there are probably 100 different sources port-scanning, probing our web infrastructure, looking for a way in. An IPS would detect these attacks, but we have a relatively small team and we can’t act on everything, so we really have to make sure we DO act on the important stuff. In the Cisco.com environment, we get over a million inbound attacks every day. Very rarely do the attacks have any level of success, and no one can physically examine that many legitimate (but unsuccessful) attacks. Yes, examining each and every one of those attempts would be perfect, just not feasible. But we haven’t let the ideal get in the way of the possible. I’ll give you an example of how we used this line of thinking to improve the security of the site.

Read More »

Tags: , ,

Whales and IDS

Sometimes there is a perceived need to perfectly fix a problem, and that need can be the enemy of incremental steps that can reduce a problem to an acceptable level. Let me illustrate this by making one of those physical-to-virtual analogies that never really seem to translate very well:

Saving the whales is a difficult task that we will probably never completely finish. We won’t turn the entire planet into a playground for whales, nor do we need to. But if we take steps to regulate the hunting of whales and to protect their food and environment, that may be all that is both possible and needed.

Similarly, we won’t ever completely stop online crime. Consider how that impacts the current view of IPS and signature-based detection methods. These methods often develop a bad reputation because they can be poorly implemented and evaded, and they don’t always detect or prevent all criminal activities.

Read More »

Tags: , ,