IDS mailing list archives

RE: True definition of Intrusion Prevention

From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Tue, 30 Dec 2003 08:25:00 -0700

Richard,

Except that most seasoned Intrusion Detection Protects have had the
ability to "shun" based on a policy.  Intrusion Prevention has not been
clearly defined as what it is supposed to do and what actual attacks are
Intrusion Prevention class..

/mark

-----Original Message-----
From: Richard Bejtlich [mailto:richard_bejtlich () yahoo com] 
Sent: Tuesday, December 30, 2003 5:49 AM
To: focus-ids () securityfocus com
Subject: RE: True definition of Intrusion Prevention


Hello,

I like to classify products and principles according
to their place in the "security process" [1]:

assess -> protect -> detect -> respond

"Assess" means implementing policies and procedures
and measuring security posture via vulnerability
assessment.

"Protect" means trying to prevent intrusions, perhaps
with filtering bridges and routers, firewalls, and
"IPS," some on the host (e.g., systrace) and some on
the network.  IPS is a progression up the stack in
terms of making access control decisions.  We started
at layers 3 and 4 with IPs and ports, then added
stateful inspection, and now some products work more
or less at layer 7 doing "deep inspection" beyond
layers 3 and 4.  On the host we're moving down from
userland closer to the kernel.  Protection is active;
it alters the environment.

"Detect" is where I put all IDS products.  "Detect" is
passive.  We detect cases where prevention has failed.
 It's "network auditing" and "network security
monitoring."

In the "response" phase we contain and remediate the
intrusion.  Humans do this for cases where prevention
fails.

People get confused because the "protect" phase can
make detect and respond steps in order to prevent
intrusions.  For example, prevention product X detects
recon from potential intruder Y and responds by
reconfiguring a firewall to shun Y's IP.  That's all
still protection; the end result was an action that
altered the environment.

Sincerely,

Richard Bejtlich
http://www.taosecurity.com

[1] I decided to buck the "reinvent the wheel" trend
and use someone else's security process terms -- from
"Internet Site Security" by Erik Schetina, Ken Green,
and Jacob Carlson.

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- <Possible follow-ups>
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
  - Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
  - Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
  - RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
  - Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
  - RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)