IDS mailing list archives
Re: True definition of Intrusion Prevention
From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 30 Dec 2003 09:50:16 -0500
Teicher, Mark (Mark) wrote:
None of the listed above, should be classified as Intrusion Prevention, since they are really in essence "glorified" Intrusion Detection class patterns. Most of the listed above can be easily remediated by implementing sound security measures at the network device levels (i.e. Access Control Lists, and other network device configuration tidbits, even on WinDoze based machines)
True. But if access is desired, network security measures alone won't be effective at preventing exploitation of many of the attacks...only system security can handle that. Even on a tightly controlled network, vulnerable systems will occasionally appear or be unsafely operated through ignorance, mistakes, or priorities. Shoot, every new Windows NT/2k/xp/2003 systemis instantly vulnerable to a network based attack unless action is taken prior
to the system being put on the network. If not vulnerable to the Internet because of netbios/rpc blocks and stateful UDP firewalls, then vulnerable to other computers on the same network. Not all networks have strictly defined purposes, narrow access controls, or stringent configuration management. Consider student residence networks. Consider home broadband networks. Consider the increasing interconnections of business partners and public access to information and interactive services..If an inline IDP device allows an organization to write its own rules, it can
do things no other device can do. It may allow an organization to block certain types of attacks while patches are deployed and service is maintained. Or block attacks for which no patches exist. Its just another tool in the arsenal.I agree that "intrusion prevention" is a vague, meaningless term that can be
applied to almost any security measure. But the term "firewall" is not muchbetter. A lot of terminology is just accepted practice, right or wrong. When
did the term "firewall" come to mean application communication monitoringand fingerprinting as it does for desktop firewalls? Should we call anti-virus software "file system monitor for identified malicious software patterns"? What differentiates "trojans" and "spyware"? Why is file/print sharing
software that includes multi-user access functionality long established by the mainframe and minicomputer world called a "network operating system"? . And don't forget switching/bridging. Is the IDP hype any worse than firewall or vulnerability detection manufacturers' hype? Ever try to get details on firewall proxy capabilities? Or vulnerability detection methods of non-open source vulnerability scanners? Compare the protection capabilities of a typical firewall with the threats described by the SANS Top Twenty. How many threats can be mitigated by a firewall through proxies or stateful inspection engines without blocking the affected service entirely or limiting it to only trusted computers (assuming there are such things and that such a list is practical for a particular organization's goals)? While a network IDP may be a glorified IDS, there is one important difference...instead of generating an after-the-fact alert, the probe or intrusion attempt can be blocked. Are there compromises between false positives, allowing possible malicious traffic, and overall protection? Of course. But the same could be said about almost any other security measure...password retry limits, virus heuristics, traffic pattern analysis, taking proactive, automatedactions based on vulnerability scans, desktop firewalls blocking consumer apps, etc.
I'm not arguing that a network IDP is a be all and end all. But until similar functionality is incorporated into mainstream "firewall" products, it seems to me they can serve a useful purpose, particularly in relatively open networks. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- <Possible follow-ups>
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)