IDS mailing list archives
RE: True definition of Intrusion Prevention
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Mon, 29 Dec 2003 19:23:13 -0700
Ron, Here is the some of the attack patterns type signatures being classified by many vendors who are no pushin Intrusion Prevention attack detection FIN without ACK Attack FTP Buffer Overflow attack ICMP Flood Attack ICMP Fragment Attack ICMP Source Session Limit ICMP Sweep Attack Invalid URL Attack IP Fragment IP Land Attack IP Loose Source Record Routing IP Record routing IP Security Option IP Strict Source Record Routing IP Timestamp Option Large ICMP Packet Attack Ping of Death Attack POP2 Buffer Overflow Attack POP3 Buffer Overflow Attack Port Scan Attack SYN Flood Attack SYN Fragment Attack TCP with No Flag Attack UDP Flood Attack UDP Land Attack UDP Source Session Limit Unknown IP protocol None of the listed above, should be classified as Intrusion Prevention, since they are really in essence "glorified" Intrusion Detection class patterns. Most of the listed above can be easily remediated by implementing sound security measures at the network device levels (i.e. Access Control Lists, and other network device configuration tidbits, even on WinDoze based machines) To address the other vendors, you mention, they are addressed issues at the host level that cannot be really classified as "Intrusion Prevention". Okena, Entercept are quantifying certain network based applications are being rogue or known to have issues with them, and thus implementing policy to prevent rogue type behavior. Again, not really Intrusion Prevention. I tend to agree, "true" Intrusion Prevention could be defined as "alien" technology, since known of the vendors can agree to what Intrusion Prevention really is. I guess marketing folks/marketing communication folks will have something to do for the next few months and figure out what "snake oil" they can assemble. The consolidation of Managed Security Service Providers as you mention is cementing the fact, that one cannot monitor an enterprise network without a huge product/development house type capital. The technologies behind most Managed Security Service Providers are classifications of attacks accumulated from snarfing information from various sources, dumping them into a huge mono-lithic database and correlating the information to data being analyzed by customers. Outsourcing security event and correlation management has always been a strange subject to broach, since most large corporations are not in the business of spending gobs on money on security unless the ROI is clearly visible to them and not 5 years down the road. Most corporations who purchase solutions today, take several months to learn it, figure out the ramifications to their network, and conduct a pilot before enabling on their production network. I have not observed large scale deployments (>30,000) seats of HIDS based products in the last two years. The mechanism of deployment needs drastic improvement. /m -----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Monday, December 29, 2003 7:05 PM To: Teicher, Mark (Mark); focus-ids () securityfocus com Subject: Re: True definition of Intrusion Prevention Yep ... "intrusion prevention" is the latest bandwagon marketing folks are getting into. What makes matters worse is I think that "intrusion detection" was also mis-labeled from the start. IDS was really "attack and probe detection" but rarely did they actually detect real compromises. Everything from better passwords to extra firewalls can be considered intrusion prevention. Most of the time, I hear it in when NIDS vendors are going inline, or firewall vendors are going into the application layer. In either case, a majority of the customer I speak with are not deploying anything inline which can negatively effect their infrastructure. There are some exceptions, but most networks which are poorly run, are insecure by practice and don't suffer inline security that well. Other networks that have had a sound security design have shrugged off worms and attacks without any new technology. The other area IPS is becoming popular is at the host. Okena (Cisco), Entercept (NAI), SANA, all of the host firewall guys, the virus guys and who know who else have solutions to mitigate attacks at the server and desktop. Some of these guys use rules, AI, mods to the OS, enhanced firewall ACLs, prayer and reverse engineered alien technology. What gets me about IPS is how polarizing it is to the enterprise security industry. There are some really big enterprises out there that hear Gartner slam the lack of success of IDS, and then look to their successful IDS deployments. I see the purchase of Gardent by Verisign and Riptech by Symantec as endorsements of the IDS space. At the same time, I see a lot of folks halting NIDS/HIDS deployments in favor of enhanced configuration/vulnerability management or even outsourceing IT altogether. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com At 09:44 AM 12/28/2003 -0700, Teicher, Mark (Mark) wrote:
Again, I am broaching the subject of what is the true definition of Intrusion Prevention. Can someone on the list please enlighten me. It
appears the definition of IPS has yet been re-formed by various market analysts and some vendors. Normalization and anomaly detection is not "Intrusion Prevention".. What is the difference between Intrusion Detection, Intrusion Prevention at the high level. Then at the granular level, Network Intrusion Prevention versus Network Intrusion Detection, Host Intrusion
Prevention, Host Intrusion Detection? Some vendors have mentioned the use of "black list" vs "white list" This is appears a bit more subjective, and less effective in most enterprises since this would require application network traffic analysis, and researching all the little .dlls that are associated with
various applications in order to derive an effective "black list" versus "white list" policy. This then brings me to another point, host integrity checking, this technology makes no sense, all it is a simple check for running a certain application, patch level, or av engine. There are various vendors out there that offer AV/Patch management solutions that offer a
enhanced feature set than just a check for a registry. *points to ponder* /mark
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- <Possible follow-ups>
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)