IDS mailing list archives
RE: True definition of Intrusion Prevention
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 30 Dec 2003 10:27:33 -0600
On Tue, 2003-12-30 at 09:25, Teicher, Mark (Mark) wrote:
Except that most seasoned Intrusion Detection Protects have had the ability to "shun" based on a policy. Intrusion Prevention has not been clearly defined as what it is supposed to do and what actual attacks are Intrusion Prevention class..
Howdy Mark, couldn't let that discussion about IPS die, huh? ;) You realize that you ask for the definition of the term Intrusion Prevention, yet at the same time use that word to describe a class? Or are you moving from a classification to a definition? Semantics perhaps... Intrusion Prevention means a lot of different things to a lot of different people (sales speak vs technical). Confusing the issue further, I heard of folks describe their product as Intrusion Protection products/services. Argh! But perhaps that fits in better with Richards security process concept. After all, most IPS's out there are Inline (or Gateway) IDS's, or firewalls with "deep packet inspection" capabilities, so they fall squarely under the Protect column. Other IPS are more reactionary as Richard mentions. I strongly believe that we should abandon the term in favor of more detailed and clearer definitions, such as: - Inline IDS (an IDS which can pass traffic, a la Hogwash). - Firewall with signature based policy rule sets (that "deep packet" thingy... gosh... who came up with that term? Sounds more like deep pocket to me :) - Host-based firewalls. - Application wrappers (i.e. SecureIIS) - Kernel wrappers (i.e. systrace) - Reactionary IDS (i.e. Snortsam... sorry, couldn't resist the shameless plug) - Application proxies and data relays. I was tempted to continue with Anti-virus/Anti-spam products, but realize that we could then list ALL security products. After all, they all Prevent Intrusions, right? I hereby call upon the security community to abandon the term Intrusion Prevention System! Let's be more specific. (Otherwise Mark will continue his quest through the next decade ;) Cheers, and a Happy New Year to all. May your systems be safe and secure, and the malware decline next year (hey, we can at least wish for it...) Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- <Possible follow-ups>
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)