Re: True definition of Intrusion Prevention

[Ron Gula <rgula () tenablesecurity com>]

Yep ... "intrusion prevention" is the latest bandwagon marketing folks
are getting into. What makes matters worse is I think that "intrusion
detection" was also mis-labeled from the start. IDS was really "attack
and probe detection" but rarely did they actually detect real compromises.

Everything from better passwords to extra firewalls can be considered
intrusion prevention. Most of the time, I hear it in when NIDS vendors
are going inline, or firewall vendors are going into the application
layer. In either case, a majority of the customer I speak with are not
deploying anything inline which can negatively effect their infrastructure.
There are some exceptions, but most networks which are poorly run, are
insecure by practice and don't suffer inline security that well. Other
networks that have had a sound security design have shrugged off worms
and attacks without any new technology.

The other area IPS is becoming popular is at the host. Okena (Cisco),
Entercept (NAI), SANA, all of the host firewall guys, the virus guys
and who know who else have solutions to mitigate attacks at the
server and desktop. Some of these guys use rules, AI, mods to the OS,
enhanced firewall ACLs, prayer and reverse engineered alien technology.

What gets me about IPS is how polarizing it is to the enterprise
security industry. There are some really big enterprises out there that
hear Gartner slam the lack of success of IDS, and then look to their
successful IDS deployments. I see the purchase of Gardent by Verisign
and Riptech by Symantec as endorsements of the IDS space. At the same
time, I see a lot of folks halting NIDS/HIDS deployments in favor of
enhanced configuration/vulnerability management or even outsourceing
IT altogether.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com





At 09:44 AM 12/28/2003 -0700, Teicher, Mark (Mark) wrote:
> Again, I am broaching the subject of what is the true definition of
> Intrusion Prevention.  Can someone on the list please enlighten me.  It
> appears the definition of IPS has yet been re-formed by various market
> analysts and some vendors.
>
> Normalization and anomaly detection is not "Intrusion Prevention"..
>
> What is the difference between Intrusion Detection, Intrusion Prevention
> at the high level.  Then at the granular level, Network Intrusion
> Prevention versus Network Intrusion Detection, Host Intrusion
> Prevention, Host Intrusion Detection?
>
> Some vendors have mentioned the use of "black list" vs "white list"
> This is appears a bit more subjective, and less effective in most
> enterprises since this would require application network traffic
> analysis, and researching all the little .dlls that are associated with
> various applications in order to derive an effective "black list" versus
> "white list" policy.
>
> This then brings me to another point, host integrity checking, this
> technology makes no sense, all it is a simple check for running a
> certain application, patch level, or av engine.  There are various
> vendors out there that offer AV/Patch management solutions that offer a
> enhanced feature set than just a check for a registry.
>
> *points to ponder*
>
> /mark


---------------------------------------------------------------------------
---------------------------------------------------------------------------