Last year I vowed to do whatever I could to get myself weaned off as much dependence on Microsoft patches as I could. To wit; I started purchasing IPS and UTM devices for our offices. The main offices got the IPS units behind the beefcake firewalls and the satellite offices got UTM devices in lieu of a firewall. I also aggressively ramped up our HIPS deployment to try to get as close to 100% of our laptops covered as possible.

All that hard work and capital is paying off now. Today I sent an internal advisory about Tuesday’s patch release and on all the patches that are critical to our environment I was able to say that we already have strong (though not complete) protection for most attacks.

IPS isn’t dead nor useless. When leveraged correctly it can help take some of the pressure off of patch Tuesday and reboot Wednesday. Granted, nothing replaces patches in your security regimen, but IPS technology can give you more time to test thoroughly before deploying to production.

I’ve seen ANI alerts on my IPS units regarding three sites:

http://www.cursors-4u.com
http://www.htmate.com
http://www.htmate2.com
http://www.cute-spot.com
202.108.43.155 <–can’t get a domain for this one. File name that triggered the alert is: /mapabcsina/ime/images/curpic/drag.ani

htmate.com and htmate2.com are geared towards MySpace sites, which is pretty clever. Its funny to see how hideous the sites are. Reminds me of my first website, that had tons of animated gif’s everywhere and the obligatory “welcome to my corner of the Internet.” LOL

At any rate, you might consider blocking access to these sites if you have no other means of protection.

I wasn’t going to post today about third party patches, Microsoft’s hubris, and the value of IPS tech, but I just couldn’t resist the opportunity to get an ‘I told ya so’ in there.

The facts: (more…)

‘UTM’ is one of those topics that tends to polarize a room of geeks. You get folks saying UTM is great stuff and you have folks who say it’s a waste of time. I happen to find use in UTM. I utilize UTM devices for satellite offices. Here’s how it works;

Our network topology is a distributed WAN network with a few major offices and several satellite offices, all scattered throughout the world. Starting in ’06 we started deploying IPS and UTM devices. The major offices all get network IPS units behind the existing, beefcake firewalls and the satellite offices get UTM devices in lieu of a firewall. (more…)

This is a prime example of one of my chief complaints about Skype; Skype presents a back door into your network that can’t be monitored. A Warezov worm variant is spreading through the Skype network posing as a legitimate Skype IM prompting users to click on a link to download the payload.

Granted, you can snipe the HTTP ‘get’ and you can snipe the payload inbound but its far more efficient to be able to block the inbound message in the first place, which you can’t do because Skype’s traffic is encrypted, effectively defeating any IPS on the planet.

For that reason, this is a very good argument for solid endpoint security; AV + patch management + HIPS, etc.