IDS mailing list archives
Re: True definition of Intrusion Prevention
From: "Andrew Plato" <aplato () anitian com>
Date: Wed, 7 Jan 2004 17:18:46 -0800
Again, I am broaching the subject of what is the true definition of Intrusion Prevention. Can someone on the list please enlighten me. It
appears the definition of IPS has yet been re-formed by various market analysts and some vendors. What is the difference between Intrusion Detection, Intrusion Prevention at the high level. Then at the granular level, Network Intrusion Prevention versus Network Intrusion Detection, Host Intrusion
Prevention, Host Intrusion Detection?
I have had this very debate a fews times on a local listserv. It seems to me that everybody is falling all over themselves to redefine their products as "intrusion prevention systems" (IPS). Some of this is in response to the Gartner report on IDS others just because they think there is a better market in IPS. As somebody who has played with IPS systems for a long time now, I have my opinion. I am sure some would disagree. I consider a true IPS to natively exhibit two main criteria: 1. Sophisticated Analysis: An IPS needs some kind of advanced analysis engine to detect and categorize threatening behavior or network communications. This analysis has to be more than merely applying a big set of rules. It needs tolerances intermixed with signatures, intermixed with rules. 2. Native Response/Defense Capability: An IPS must be able to natively respond to unwanted traffic or behavior. This should be both active and passive. Active response meaning, it can block unwanted behavior or traffic based on analysis. Passive response meaning it can enforce a static set of rules. Based on these criteria, it becomes pretty easy to separate the various IPS variants. But in general IDS is just #1, a firewall is just #2, and IPS is #1 & #2. See, simple as that. Some other places have started calling their technology IPS when its really only about half there. I agree that normalization or protocol enforcement do not constitute an IPS. Anomaly detection is often PART of a good IPS. But its not the sole detection method. Furthermore, I also think a lot of products are only about half-there when it comes to being an IPS. Checkpoint, for example, is real proud of their new SmartDefense proxies. They're nice addition to CP, but they only handle a handful of protocols and are really nothing more than what proxy-based firewalls have always offered. I'd also kick integrity monitors and hardened operating systems out of the IPS category. They are close and exhibit many of the same benefits of an IPS, but fail on the criteria I mentioned.
This then brings me to another point, host integrity checking, this technology makes no sense, all it is a simple check for running a certain application, patch level, or av engine. There are various vendors out there that offer AV/Patch management solutions that offer a
enhanced feature set than just a check for a registry.
Integrity monitoring has value, but in and of itself, integrity checking isn't a complete solution. Many host-IDSs provide integrity checking features. Patch management is also valuable, but again, in and of itself, its not a complete solution. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: True definition of Intrusion Prevention, (continued)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 05)
- RE: True definition of Intrusion Prevention Fengmin_Gong (Jan 05)
- RE: True definition of Intrusion Prevention Fengmin_Gong (Jan 05)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- Re: True definition of Intrusion Prevention Frank Knobbe (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- RE: True definition of Intrusion Prevention Bohling James CONT JBC (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- RE: True definition of Intrusion Prevention Vigilant Labs (Jan 07)
- Re: True definition of Intrusion Prevention George Capehart (Jan 07)
- Re: True definition of Intrusion Prevention Andrew Plato (Jan 08)