[Zeek] Can Zeek be installed as in-line IPS?

Richard Bejtlich richard at corelight.com
Mon Mar 18 11:28:16 PDT 2019


The PCI requirement is for IDS or IPS, which is unfortunate because they
are totally different. I'm surprised IPS is even a market segment anymore.
At this point it's really just a firewall feature. There's so much more
that can be done with a passive observation platform like Zeek, when you
don't have to worry about making line-speed judgements.

Sincerely,

Richard

On Mon, Mar 18, 2019 at 1:50 PM Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> wrote:

> Yes.  Many.
>
> PCI-DSS 11.4 comes up quite often. Whether we have consensus on the
> validity and utility of an IPS or not, it comes up in every single PCI
> audit.
>
> On Mon, Mar 18, 2019 at 1:40 PM Richard Bejtlich <richard at corelight.com>
> wrote:
>
>> Yes, as Seth said, I said IPS. Is anyone really deploying IPS now? I only
>> see Palo Alto firewalls, etc.
>>
>> Sincerely,
>>
>> Richard
>>
>> On Mon, Mar 18, 2019 at 1:02 PM Seth Hall <seth at corelight.com> wrote:
>>
>>>
>>>
>>> On 18 Mar 2019, at 11:30, Patrick Kelley wrote:
>>>
>>> > I still see the same issues we had on networks 10 years ago. It is
>>> > reduced, due to HTTPS and some SMTP, sure.  Dead... not really.
>>>
>>> To be fair, he did say IPS.  In my opinion IPS has always been in a
>>> weird spot where the definition isn't terribly clear (block a single
>>> packet in-flight?  block a connection after a determination is made?
>>> ...etc).
>>>
>>> I think everyone here will agree that the visibility provided by Zeek is
>>> useful even on modern networks and that tail of completely unencrypted
>>> traffic is awfully long. :)
>>>
>>>    .Seth
>>>
>>> --
>>> Seth Hall * Corelight, Inc * www.corelight.com
>>>
>>
>>
>> --
>> Richard Bejtlich
>> Principal Security Strategist, Corelight
>>
>
>
> --
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
> (o) 770-224-6482
>
> *The limit to which you have accepted being comfortable is the limit to
> which you have grown. Accept new challenges as an opportunity to enrich
> yourself and not as a point of potential failure.*
>
>
>

-- 
Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190318/caef4133/attachment.html 


More information about the Zeek mailing list