Re: True definition of Intrusion Prevention

[Gary Flynn <flynngn () jmu edu>]

Teicher, Mark (Mark) wrote:

> None of the listed above, should be classified as Intrusion Prevention,
> since they are really in essence "glorified" Intrusion Detection class
> patterns. Most of the listed above can be easily remediated by
> implementing sound security measures at the network device levels (i.e.
> Access Control Lists, and other network device configuration tidbits,
> even on WinDoze based machines)
True. But if access is desired, network security measures alone won't be
effective at preventing exploitation of many of the attacks...only system
security can handle that. Even on a tightly controlled network, vulnerable
systems will occasionally appear or be unsafely operated through ignorance,
mistakes, or priorities. Shoot, every new Windows NT/2k/xp/2003 system
is instantly vulnerable to a network based attack unless action is taken 
prior
to the system being put on the network. If not vulnerable to the Internet
because of  netbios/rpc blocks and stateful UDP firewalls, then vulnerable
to other computers on the same network. Not all networks have strictly
defined purposes, narrow access controls, or stringent configuration
management. Consider student residence networks. Consider home
broadband networks. Consider the increasing interconnections of business
partners and public access to information and interactive services..

If an inline IDP device allows an organization to write its own rules, 
it can
do things no other device can do. It may allow an organization to block
certain types of attacks while patches are deployed and service is
maintained. Or block attacks for which no patches exist. Its just another
tool in the arsenal.

I  agree that "intrusion prevention" is a vague, meaningless term that 
can be
applied to almost any security measure. But the term "firewall" is not much
better. A lot of terminology is just accepted practice, right or wrong. 
When
did the term "firewall" come to mean application communication monitoring
and fingerprinting as it does for desktop firewalls? Should we call 
anti-virus
software "file system monitor for identified malicious software 
patterns"?  
What differentiates "trojans" and "spyware"? Why is file/print sharing
software that includes multi-user access functionality long established by
the mainframe and minicomputer world called a "network operating
system"? . And don't forget switching/bridging.

Is the IDP hype any worse than firewall or vulnerability detection
manufacturers' hype? Ever try to get details on  firewall proxy
capabilities? Or vulnerability detection methods of non-open
source vulnerability scanners?

Compare the protection capabilities of a typical firewall with the
threats described by the SANS Top Twenty. How many threats can
be mitigated by a firewall through proxies or stateful inspection
engines without blocking the affected service entirely or limiting it to
only trusted computers (assuming there are such things and that such
a list is practical for a particular organization's goals)?

While a network IDP may be a glorified IDS, there is one important
difference...instead of generating an after-the-fact alert, the probe
or intrusion attempt can be blocked. Are there compromises
between false positives, allowing possible malicious traffic, and
overall protection? Of course. But the same could be said about
almost any other security measure...password retry limits, virus
heuristics, traffic pattern analysis, taking proactive, automated
actions based on vulnerability scans, desktop firewalls blocking  
consumer apps, etc.

I'm not arguing that a network IDP is a be all and end all. But
until similar functionality is incorporated into mainstream "firewall"
products, it seems to me they can serve a useful purpose,
particularly in relatively open networks.


---------------------------------------------------------------------------
---------------------------------------------------------------------------