sunhux
asked on
Comparison of IPS/NIDS in terms of # of virtual patches (or CVEs) covered
Q1:
I'm making comparison for IPS brands that give the most virtual patches
for various CVEs for MS (Windows, Outlook, .Net, MS SQL, IIS & MSOffice) ,
Oracle (Weblogic, Database, Java, Solaris), Linux (various Linux esp RHEL,
Ubuntu, Debian, CentOS used in microservices) & a couple Opensource
softwares (eg: PHP, Apache, Struts, Wordpress).
Reason is it's difficult to get downtime & lead time to patch can often
stretch to almost a year. Currently, Trendmicro claims its Deep Security
is endorsed by MS as giving the most virtual patches for MS products.
Q2:
What about TippingPoint NIDS (acquired by Trendmicro) in terms of
its number of virtual patches for various products above?
Q3:
What about other products (esp coverage for Oracle & Linux-related ones)?
McAfee, Checkpoint, Sophos, ... ?
Q4:
Also, continued availability of obsolete versions of softwares are crucial
for us as we have a long lead time to tech refresh obsolete (ie principals/
developers don't release patches for it anymore) softwares.
Q5:
There's an argument that ultimately product patch still need to be applied?
What could be the possible reasons for these? Heard that for NIDS, if
PCs got infected/compromised, the attacker could bypass NIDS & WAF to
attack the unpatched endpoint servers. Guess an IPS with agent inside
the endpoint will mitigate, right?
I'm making comparison for IPS brands that give the most virtual patches
for various CVEs for MS (Windows, Outlook, .Net, MS SQL, IIS & MSOffice) ,
Oracle (Weblogic, Database, Java, Solaris), Linux (various Linux esp RHEL,
Ubuntu, Debian, CentOS used in microservices) & a couple Opensource
softwares (eg: PHP, Apache, Struts, Wordpress).
Reason is it's difficult to get downtime & lead time to patch can often
stretch to almost a year. Currently, Trendmicro claims its Deep Security
is endorsed by MS as giving the most virtual patches for MS products.
Q2:
What about TippingPoint NIDS (acquired by Trendmicro) in terms of
its number of virtual patches for various products above?
Q3:
What about other products (esp coverage for Oracle & Linux-related ones)?
McAfee, Checkpoint, Sophos, ... ?
Q4:
Also, continued availability of obsolete versions of softwares are crucial
for us as we have a long lead time to tech refresh obsolete (ie principals/
developers don't release patches for it anymore) softwares.
Q5:
There's an argument that ultimately product patch still need to be applied?
What could be the possible reasons for these? Heard that for NIDS, if
PCs got infected/compromised, the attacker could bypass NIDS & WAF to
attack the unpatched endpoint servers. Guess an IPS with agent inside
the endpoint will mitigate, right?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>Really? You sometimes don't patch for...
For MS, we have WSUS so can be patched within 1-2 months after patch availability.
In one bank that AS400 patches can take 6-8 months to test before applying in
Prod (though AS400 is not Internet-facing): it's more of pressure from audits.
We'll skip comments on the late patchings but just discuss the technicalities here.
To use 'apt...', will need Internet access which is not the case with non-DMZ servers.
A candidate who came job seeking told us in the regional SAP centre that he works
for, he used TippingPoint to deploy 'virtual patches' so that they have more time
to apply the actual product patches, so this gave me this idea.
MS patches probably won't need much testing but not with UNIX & UNIX products:
have seen how Digital Unix & OpenVMS & even Solaris patches caused databases
& apps to break, thus more time is needed to test.
>Trend Micro Deep Security has the best virtual patching for MS products?
Will search for that article
For MS, we have WSUS so can be patched within 1-2 months after patch availability.
In one bank that AS400 patches can take 6-8 months to test before applying in
Prod (though AS400 is not Internet-facing): it's more of pressure from audits.
We'll skip comments on the late patchings but just discuss the technicalities here.
To use 'apt...', will need Internet access which is not the case with non-DMZ servers.
A candidate who came job seeking told us in the regional SAP centre that he works
for, he used TippingPoint to deploy 'virtual patches' so that they have more time
to apply the actual product patches, so this gave me this idea.
MS patches probably won't need much testing but not with UNIX & UNIX products:
have seen how Digital Unix & OpenVMS & even Solaris patches caused databases
& apps to break, thus more time is needed to test.
>Trend Micro Deep Security has the best virtual patching for MS products?
Will search for that article
Not in disagreement with virtual patches but just that having to compare device that does that and rank them in term of which is better may not be comprehensive.
The key is to have that device be effective in actually preventing the vulnerability being exploited. It may not be always be patches or IOC. At time it is a call for disable of vulnerable service such as RDP or equivalent.
The key is to have that device be effective in actually preventing the vulnerability being exploited. It may not be always be patches or IOC. At time it is a call for disable of vulnerable service such as RDP or equivalent.
I was reading your initial question one more time, "Comparison of IPS/NIDS in terms of # of virtual patches (or CVEs) covered."
Speaking about Linux only, most Distros tap into the same vulnerability databases, share data about fixing vulnerabilities, in general race to see who can roll out a patch first.
So all CVEs are covered very quickly.
And some patches, like the 2x zero days found 3x years ago, can't be patched by just installing an update, all data must be backed up, then a fresh (obliteration) install done, then data restored.
This means CVEs generally have patches shipped very quickly + depending on type of hosting you're running, will depend on action required on your part to apply the patch.
Tip: Very few hosting companies install patches in a timely fashion. Even fewer do major OS updates as they should. None do obliteration reinstalls to fix zero days correctly.
At least this is my experience recovering projects from hacks.
Speaking about Linux only, most Distros tap into the same vulnerability databases, share data about fixing vulnerabilities, in general race to see who can roll out a patch first.
So all CVEs are covered very quickly.
And some patches, like the 2x zero days found 3x years ago, can't be patched by just installing an update, all data must be backed up, then a fresh (obliteration) install done, then data restored.
This means CVEs generally have patches shipped very quickly + depending on type of hosting you're running, will depend on action required on your part to apply the patch.
Tip: Very few hosting companies install patches in a timely fashion. Even fewer do major OS updates as they should. None do obliteration reinstalls to fix zero days correctly.
At least this is my experience recovering projects from hacks.
Using IPS or AV in lieu of patching does not fix the problem. You are trying to catch a problem after it happens. Patching is to prevent the problem from happening in the first place. If you have a sturdy steel door to your facility and lock is broken, it should be fixed. That's what patching is. IPS is the camera aimed at the door. The criminal wears a mask and comes in through the broken door. You've caught him on camera, but he's already broken in and took stuff from your site already. The damage is done. AV is the alarm system that starts blaring when that door is opened. The criminal still got in, but some get scared away, while others will still run in and grab something quick because they know the police won't arrive that quickly.
Don't skip patching.
<rant>
Sometimes, when you wait a year for patches, you will encounter issues with the patch process. I encountered this at a place that I took over and basically just created new domain controllers and took the 2 problem servers offline and retired them. The lazy S.O.B. sysadmin had stopped doing work for a year, while he was still getting paid. He didn't check backups either. The patches installed on the broken systems, but within a day to a week, the patches would revert completely. I caught it restarting to undo the patch while I was logged in. I had it open with no other users and it restarted on me while I was working on it.
Do not ever leave a server unpatched for that long. You can occasionally skip a month, but skipping a year is just asking for trouble. I've been pulled into a few places where they did this and more than half of those systems just needed to be reinstalled. The patching would not apply correctly or they'd uninstall themselves. Those "sysadmins" should be sued for negligence to recover the pay for work not done.
If it's upper management that's saying don't do it. Cover Your Ass and document all requests to properly attempt to patch. Make sure you have a full document trail that goes to everyone important in the company. Start looking for another job. This is not a good place to work for.
</rant>