igsi,
You are wrong on this issue. I am a sysadmin and while I try to patch my systems whenever possible, it is a completely unrealistic expectation. First of all, while I try to stay on top of all patch notifications, the high # of warnings and alerts for the numerous systems I administer makes it impossible for me to be absolutely certain that all systems are always patched to the current version. Secondly, as all of the public servers I administer are in production environments, I cannot go and willy nilly update a server anytime I want. I have to schedule maintenance windows and downtimes, first perform the upgrade in a staging environment, QA against that upgrade, etc. Many times only a "warning" issued and we do not upgrade systems until a "high priority alert" issued. It's the realities of system administration. For desktop users, how many times have you seen an MS update notification, and how long was the delay between when the update was available and when you actually installed the update?
Relying on such security hardening technologies as IDS (which is just one element of "hardening") has been absolutely vital to our security. Our Apache servers have tripwire and snort installed and caught the Slapper worm, so the use of an IDS definitely help us catch the intruder!
You don't have to take my word for it. Besides, compared to you I'm probably a technology neophyte. So why not take a recognized security expert's word on the
risks of relying on patches as a security measure? (Look at Jay Beale's answer to the question "What are the top things sysadmins can do to protect themselves?")
http://newsforge.com/article.pl?sid=02/10/25/1728232
Note that Beale talks about:
1. Hardening your system using security measures such as IDS is the most important! Patches and firewall rank 2nd and third.
2. Patches are important, obviously, but there is risk due to the
non-zero time it takes a vendor to release a patch and you to apply it.
3. With a a hardened system
you can actually break the exploits so that you can't be hacked, even while you still have broken software on the system. We have a Cisco IDS in addition to Tripwire and Snort. Even if we have susceptible software, we are at much less risk because we scan all incoming packets at network and server, and if something slips through and is compromised we know about it the same day! While you are sitting here waiting for the vendor to release a patch.
4. Regarding firewalls, Beale says
always remember that firewalls rarely protect applications that you need accessible to the world. For instance, my firewall can't block access to my public webserver! It won't do a thing to protect it. Honestly, this is probably where much of the hacking effort is going to go.
5. Obviously, the best approach is do all 3 things Beale mentions (hardened system && patches && firewall) . I just wanted to raise my hand and say that dottom isn't the only one who thinks that relying on firewall and a system administer to patch all vulnerable systems is sufficient. No way. Say that in a job interview and you'd never get hired at my firm.
Now, I think a strange feeling this topic won't get resolved here as there are some philosophical differences. But one difference I cannot ignore is that relying on patches from my software vendor (and the time it takes for me to test/validate/apply them) without an IDS installed we would have failed all of our annual Ernst & Young security audits to date.
I won't comment that baloney. I don't want my post deleted. 