Re: True definition of Intrusion Prevention

[Mike Poor <mike () digitalguardian net>]

On Tue, Dec 30, 2003 at 06:02:57PM -0500, George Capehart wrote:
> > Having the ability to block a detected attack instead of just
> > reporting on it.
>
> That's not intrusion *prevention*, it's intrusion *blocking*.  ;-)
>
> I'm being pedantic ... <snip>

Well, if we are being pedantic, then what you are discussing is Attack blocking, as you still have no idea if the 
attack would end up being a successful intrusion.

Same goes for NIDS (which I personally think despite the acronym should be NADS for Network Attack Detection System).

Just because it begins with an I and ends with an S does not make IPS an IDS killer.

We still need to have:

Policy
Policy enforcement (firewall, IPS, application level firewall, router acls, anti-virus gateway etc)
Audit function (IDS, audit trail such as tripwire, argus, niksun, various ESM products etc)
Change control

my $0.02

Mike Poor





---------------------------------------------------------------------------
---------------------------------------------------------------------------