Re: True definition of Intrusion Prevention

["Andrew Plato" <aplato () anitian com>]

> Again, I am broaching the subject of what is the true definition of
> Intrusion Prevention.  Can someone on the list please enlighten me.  It

> appears the definition of IPS has yet been re-formed by various market 
> analysts and some vendors.
>
> What is the difference between Intrusion Detection, Intrusion
> Prevention at the high level.  Then at the granular level, Network 
> Intrusion Prevention versus Network Intrusion Detection, Host Intrusion

> Prevention, Host Intrusion Detection?

I have had this very debate a fews times on a local listserv. It seems
to me that everybody is falling all over themselves to redefine their
products as "intrusion prevention systems" (IPS). Some of this is in
response to the Gartner report on IDS others just because they think
there is a better market in IPS.

As somebody who has played with IPS systems for a long time now, I have
my opinion. I am sure some would disagree.

I consider a true IPS to natively exhibit two main criteria:

1. Sophisticated Analysis:  An IPS needs some kind of advanced analysis
engine to detect and categorize threatening behavior or network
communications. This analysis has to be more than merely applying a big
set of rules. It needs tolerances intermixed with signatures, intermixed
with rules. 

2. Native Response/Defense Capability: An IPS must be able to natively
respond to unwanted traffic or behavior. This should be both active and
passive.  Active response meaning, it can block unwanted behavior or
traffic based on analysis. Passive response meaning it can enforce a
static set of rules. 

Based on these criteria, it becomes pretty easy to separate the various
IPS variants. But in general IDS is just #1, a firewall is just #2, and
IPS is #1 & #2. See, simple as that.  

Some other places have started calling their technology IPS when its
really only about half there. 

I agree that normalization or protocol enforcement do not constitute an
IPS. Anomaly detection is often PART of a good IPS. But its not the sole
detection method. Furthermore, I also think a lot of products are only
about half-there when it comes to being an IPS. Checkpoint, for example,
is real proud of their new SmartDefense proxies. They're nice addition
to CP, but they only handle a handful of protocols and are really
nothing more than what proxy-based firewalls have always offered. 

I'd also kick integrity monitors and hardened operating systems out of
the IPS category. They are close and exhibit many of the same benefits
of an IPS, but fail on the criteria I mentioned. 


> This then brings me to another point, host integrity checking, this
> technology makes no sense, all it is a simple check for running a 
> certain application, patch level, or av engine.  There are various 
> vendors out there that offer AV/Patch management solutions that offer a

> enhanced feature set than just a check for a registry.

Integrity monitoring has value, but in and of itself, integrity checking
isn't a complete solution. Many host-IDSs provide integrity checking
features. Patch management is also valuable, but again, in and of
itself, its not a complete solution. 

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security 
 
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________ 

---------------------------------------------------------------------------
---------------------------------------------------------------------------