RE: True definition of Intrusion Prevention

[Richard Bejtlich <richard_bejtlich () yahoo com>]

Hello,

I like to classify products and principles according
to their place in the "security process" [1]:

assess -> protect -> detect -> respond

"Assess" means implementing policies and procedures
and measuring security posture via vulnerability
assessment.

"Protect" means trying to prevent intrusions, perhaps
with filtering bridges and routers, firewalls, and
"IPS," some on the host (e.g., systrace) and some on
the network.  IPS is a progression up the stack in
terms of making access control decisions.  We started
at layers 3 and 4 with IPs and ports, then added
stateful inspection, and now some products work more
or less at layer 7 doing "deep inspection" beyond
layers 3 and 4.  On the host we're moving down from
userland closer to the kernel.  Protection is active;
it alters the environment.

"Detect" is where I put all IDS products.  "Detect" is
passive.  We detect cases where prevention has failed.
 It's "network auditing" and "network security
monitoring."

In the "response" phase we contain and remediate the
intrusion.  Humans do this for cases where prevention
fails.

People get confused because the "protect" phase can
make detect and respond steps in order to prevent
intrusions.  For example, prevention product X detects
recon from potential intruder Y and responds by
reconfiguring a firewall to shun Y's IP.  That's all
still protection; the end result was an action that
altered the environment.

Sincerely,

Richard Bejtlich
http://www.taosecurity.com

[1] I decided to buck the "reinvent the wheel" trend
and use someone else's security process terms -- from
"Internet Site Security" by Erik Schetina, Ken Green,
and Jacob Carlson.

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

---------------------------------------------------------------------------
---------------------------------------------------------------------------