IDS mailing list archives
RE: True definition of Intrusion Prevention
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Tue, 30 Dec 2003 11:20:45 -0700
<comments within> -----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Tuesday, December 30, 2003 9:28 AM To: Teicher, Mark (Mark) Cc: focus-ids () securityfocus com Subject: RE: True definition of Intrusion Prevention On Tue, 2003-12-30 at 09:25, Teicher, Mark (Mark) wrote:
Except that most seasoned Intrusion Detection Protects have had the ability to "shun" based on a policy. Intrusion Prevention has not been clearly defined as what it is supposed to do and what actual attacks are Intrusion Prevention class..
Howdy Mark, <Hey, Frank, long time.. , MJR always did better rants that I did > couldn't let that discussion about IPS die, huh? ;) <The issue still remains that it is hard to define such a broad term > You realize that you ask for the definition of the term Intrusion Prevention, yet at the same time use that word to describe a class? Or are you moving from a classification to a definition? Semantics perhaps... <it could be classified as a class> Intrusion Prevention means a lot of different things to a lot of different people (sales speak vs technical). Confusing the issue further, I heard of folks describe their product as Intrusion Protection products/services. Argh! But perhaps that fits in better with Richards security process concept. After all, most IPS's out there are Inline (or Gateway) IDS's, or firewalls with "deep packet inspection" capabilities, so they fall squarely under the Protect column. Other IPS are more reactionary as Richard mentions. <marketing term, because Gartner claims that IDS is dead !> I strongly believe that we should abandon the term in favor of more detailed and clearer definitions, such as: - Inline IDS (an IDS which can pass traffic, a la Hogwash). - Firewall with signature based policy rule sets (that "deep packet" thingy... gosh... who came up with that term? Sounds more like deep pocket to me :) - Host-based firewalls. - Application wrappers (i.e. SecureIIS) - Kernel wrappers (i.e. systrace) - Reactionary IDS (i.e. Snortsam... sorry, couldn't resist the shameless plug) - Application proxies and data relays. <Missed protocol anomaly detection, more of your definition is pattern based matching > I was tempted to continue with Anti-virus/Anti-spam products, but realize that we could then list ALL security products. After all, they all Prevent Intrusions, right? I hereby call upon the security community to abandon the term Intrusion Prevention System! Let's be more specific. (Otherwise Mark will continue his quest through the next decade ;) <Next decade, hopefully I would find many other subjects to ponder about by then > Cheers, and a Happy New Year to all. May your systems be safe and secure, and the malware decline next year (hey, we can at least wish for it...) Frank --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: True definition of Intrusion Prevention, (continued)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)