RE: True definition of Intrusion Prevention

["Teicher, Mark (Mark)" <teicher () avaya com>]

Ron,

Here is the some of the attack patterns type signatures being classified
by many vendors who are no pushin Intrusion Prevention attack detection

FIN without ACK Attack
FTP Buffer Overflow attack
ICMP Flood Attack
ICMP Fragment Attack
ICMP Source Session Limit
ICMP Sweep Attack
Invalid URL Attack
IP Fragment
IP Land Attack
IP Loose Source Record Routing
IP Record routing
IP Security Option
IP Strict Source Record Routing
IP Timestamp Option
Large ICMP Packet Attack
Ping of Death Attack
POP2 Buffer Overflow Attack
POP3 Buffer Overflow Attack
Port Scan Attack
SYN Flood Attack
SYN Fragment Attack
TCP with No Flag Attack
UDP Flood Attack
UDP Land Attack
UDP Source Session Limit
Unknown IP protocol

None of the listed above, should be classified as Intrusion Prevention,
since they are really in essence "glorified" Intrusion Detection class
patterns. Most of the listed above can be easily remediated by
implementing sound security measures at the network device levels (i.e.
Access Control Lists, and other network device configuration tidbits,
even on WinDoze based machines)

To address the other vendors, you mention, they are addressed issues at
the host level that cannot be really classified as "Intrusion
Prevention".  Okena, Entercept are quantifying certain network based
applications are being rogue or known to have issues with them, and thus
implementing policy to prevent rogue type behavior.  Again, not really
Intrusion Prevention.

I tend to agree, "true" Intrusion Prevention could be defined as "alien"
technology, since known of the vendors can agree to what Intrusion
Prevention really is.  I guess marketing folks/marketing communication
folks will have something to do for the next few months and figure out
what "snake oil" they can assemble.

The consolidation of Managed Security Service Providers as you mention
is cementing the fact, that one cannot monitor an enterprise network
without a huge product/development house type capital. The technologies
behind most Managed Security Service Providers are classifications of
attacks accumulated from snarfing information from various sources,
dumping them into a huge mono-lithic database and correlating the
information to data being analyzed by customers.  Outsourcing security
event and correlation management has always been a strange subject to
broach, since most large corporations are not in the business of
spending gobs on money on security unless the ROI is clearly visible to
them and not 5 years down the road.  Most corporations who purchase
solutions today, take several months to learn it, figure out the
ramifications to their network, and conduct a pilot before enabling on
their production network.  I have not observed large scale deployments
(>30,000) seats of HIDS based products in the last two years.  The
mechanism of deployment needs drastic improvement.

/m


-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com] 
Sent: Monday, December 29, 2003 7:05 PM
To: Teicher, Mark (Mark); focus-ids () securityfocus com
Subject: Re: True definition of Intrusion Prevention


Yep ... "intrusion prevention" is the latest bandwagon marketing folks
are getting into. What makes matters worse is I think that "intrusion
detection" was also mis-labeled from the start. IDS was really "attack
and probe detection" but rarely did they actually detect real
compromises.

Everything from better passwords to extra firewalls can be considered
intrusion prevention. Most of the time, I hear it in when NIDS vendors
are going inline, or firewall vendors are going into the application
layer. In either case, a majority of the customer I speak with are not
deploying anything inline which can negatively effect their
infrastructure. There are some exceptions, but most networks which are
poorly run, are insecure by practice and don't suffer inline security
that well. Other networks that have had a sound security design have
shrugged off worms and attacks without any new technology.

The other area IPS is becoming popular is at the host. Okena (Cisco),
Entercept (NAI), SANA, all of the host firewall guys, the virus guys and
who know who else have solutions to mitigate attacks at the server and
desktop. Some of these guys use rules, AI, mods to the OS, enhanced
firewall ACLs, prayer and reverse engineered alien technology.

What gets me about IPS is how polarizing it is to the enterprise
security industry. There are some really big enterprises out there that
hear Gartner slam the lack of success of IDS, and then look to their
successful IDS deployments. I see the purchase of Gardent by Verisign
and Riptech by Symantec as endorsements of the IDS space. At the same
time, I see a lot of folks halting NIDS/HIDS deployments in favor of
enhanced configuration/vulnerability management or even outsourceing IT
altogether.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com





At 09:44 AM 12/28/2003 -0700, Teicher, Mark (Mark) wrote:
> Again, I am broaching the subject of what is the true definition of 
> Intrusion Prevention.  Can someone on the list please enlighten me.  It

> appears the definition of IPS has yet been re-formed by various market 
> analysts and some vendors.
>
> Normalization and anomaly detection is not "Intrusion Prevention"..
>
> What is the difference between Intrusion Detection, Intrusion 
> Prevention at the high level.  Then at the granular level, Network 
> Intrusion Prevention versus Network Intrusion Detection, Host Intrusion

> Prevention, Host Intrusion Detection?
>
> Some vendors have mentioned the use of "black list" vs "white list" 
> This is appears a bit more subjective, and less effective in most 
> enterprises since this would require application network traffic 
> analysis, and researching all the little .dlls that are associated with

> various applications in order to derive an effective "black list" 
> versus "white list" policy.
>
> This then brings me to another point, host integrity checking, this 
> technology makes no sense, all it is a simple check for running a 
> certain application, patch level, or av engine.  There are various 
> vendors out there that offer AV/Patch management solutions that offer a

> enhanced feature set than just a check for a registry.
>
> *points to ponder*
>
> /mark


---------------------------------------------------------------------------
---------------------------------------------------------------------------