Re: True definition of Intrusion Prevention

[Bamm Visscher <bamm () satx rr com>]

My personal opinion is IPS's have been mislabeled since the beginning (aren't marketers wonderful). Take this 
definition I found in some Usenet archives (circa 1992):
                                                                                                                        
                                 
  "a combination of a security policy with some of the components
   above. Specifically, an implementation of the given policy that
   is enforced by a combination of screening and/or routing." [1]
                                                                                                                        
                                 
Geeze, seems like IPS would fit right in there. Now the final jeopardy question, what was that a definition of? If you 
guessed "firewall" then you get the big prize. So that's it, you heard it here folks, an IPS isn't the evolution of a 
IDS, but instead part of the evolution of a firewall. If you look at the history of firewalls, you'll see that early on 
there were huge flame wars over Packet Filtering and Application Firewalls. In the end, the packet filtering FW won 
out. Seems to me packet filtering FWs used less resources and could handle faster networks and as those speeds 
approached full duplex 100mb links, application FWs got left in the dust.
                                                                                                                        
                                 
Fast forward to 2003 and the designers of IDS software have made huge progress in detecting potential attacks, system's 
CPU/RAM/etc have increased phenomally, and the 'normal' speed of network have sorta leveled out. So, application FWs 
are back in the picture. Vendors with short term memory loss label this 'new' product an Intrusion Prevention System 
and advertise it as the replacement for your IDS. Those vendors give it a new label for good reason. There is no way 
they want to bang heads with the big FW companies and more importantly, their implementations of IDS have been huge 
failures within their customers networks and they need something to market as 'new and improved' (again).
                                                                                                                        
                                 
I say (most) vendors of IDS and 'IPS' products failed because they sold the product as an INTRUSION Detection System 
when they really had an ATTACK detection system. An INTRUSION Detection System implies the IDS can detect an event and 
determine its nature (malicious vs non-malicious). If the attack was malicious, an IDS will help you determine if it 
successful. If the attack was successful, the analyst should be able to use the data collected by the IDS to determine 
the impact on the system in question and finally what steps are needed for remediation. The 'IDS' vendors instead force 
fed us near worthless systems that can display an 'event'. Many won't give us any details on how they determined it was 
an 'event' and most can't give us any supporting data about 'attack' beyond a src/dest IP addr and port. If we are 
lucky, we get a whole packet too. No analysis can be done with the console, instead one must go to the targeted machine 
and pull out his/her host forensics kit or pay a 'Security Consulting' firm $600/hour to recommend you wipe and rebuild 
the system.
                                                                                                                        
                                 
Soon customers begin to ask "what do I do with this event" and later "I spent XXX hours tracking this down only to find 
the attack didn't happen or wasn't successful". The vendor noticing the agnst in his customer's voice replies with "we 
are working on ways to reduce 'false-positives' and in the future we will use IPS technology to prevent attacks too." 
and thus the birth of "IDS is Dead". I expect FW vendors to incorporate more and more attack detection features from 
IDSes (duh) and have true hybrid Packet Filtering/Application FWs, but the fact is we will still need IDS. IDS done the 
right way of course (we call it Network Security Monitoring), but that is a whole other rant.

Bammkkkk

http://sguil.sf.net

[1] Above quote was by one Marcus J. Ranum
    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=1992Jul26.211639.29453%40decuac.dec.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------