RE: True definition of Intrusion Prevention

["Thompson, Jimi" <JimiT () mail cox smu edu>]

All,

Prevention to me implies two things - 1) that there has been an intrusion
attempt and 2) that the box is actively doing something, like dynamically
configuring firewall rules to block traffic from a "baddie", to stop the
attempt.  Anything that is incapable of reacting to a specific incident with
my direct human intervention isn't really an "intrusion prevention" measure.
It's just another alert.

My suggestion is that we develop an official lexicon of terms and hold the
marketing critters to it.  Other industries do it and it's high time that IT
in general and IT security in specific did it as well.  It would certainly
help folks make apples to apples comparisons amongst various products.  I
would think that reputable companies would benefit greatly.  IT security
purchases are typically big ticket items.  Many folks that I know are
hesitant to shuck out the cash for much of this stuff because they aren't
sure how to read the "marketing-speak" to determine if the SuperWidget 1000
is really what they need. I'd also like to see this happen before it gets
forced on the industry from the outside.         

Most of the stuff I've seen is just marketing hoopla and much of it is so
extreme as to be the butt of geeky jokes.  Under the broad scope that many
vendors use for "prevention", my signature on my checks is "spending
prevention".  

2 cents,

Jimi

-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com] 
Sent: Monday, December 29, 2003 8:05 PM
To: Teicher, Mark (Mark); focus-ids () securityfocus com
Subject: Re: True definition of Intrusion Prevention

Yep ... "intrusion prevention" is the latest bandwagon marketing folks
are getting into. What makes matters worse is I think that "intrusion
detection" was also mis-labeled from the start. IDS was really "attack
and probe detection" but rarely did they actually detect real compromises.

Everything from better passwords to extra firewalls can be considered
intrusion prevention. Most of the time, I hear it in when NIDS vendors
are going inline, or firewall vendors are going into the application
layer. In either case, a majority of the customer I speak with are not
deploying anything inline which can negatively effect their infrastructure.
There are some exceptions, but most networks which are poorly run, are
insecure by practice and don't suffer inline security that well. Other
networks that have had a sound security design have shrugged off worms
and attacks without any new technology.

The other area IPS is becoming popular is at the host. Okena (Cisco),
Entercept (NAI), SANA, all of the host firewall guys, the virus guys
and who know who else have solutions to mitigate attacks at the
server and desktop. Some of these guys use rules, AI, mods to the OS,
enhanced firewall ACLs, prayer and reverse engineered alien technology.

What gets me about IPS is how polarizing it is to the enterprise
security industry. There are some really big enterprises out there that
hear Gartner slam the lack of success of IDS, and then look to their
successful IDS deployments. I see the purchase of Gardent by Verisign
and Riptech by Symantec as endorsements of the IDS space. At the same
time, I see a lot of folks halting NIDS/HIDS deployments in favor of
enhanced configuration/vulnerability management or even outsourceing
IT altogether.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com





At 09:44 AM 12/28/2003 -0700, Teicher, Mark (Mark) wrote:
> Again, I am broaching the subject of what is the true definition of
> Intrusion Prevention.  Can someone on the list please enlighten me.  It
> appears the definition of IPS has yet been re-formed by various market
> analysts and some vendors.
>
> Normalization and anomaly detection is not "Intrusion Prevention"..
>
> What is the difference between Intrusion Detection, Intrusion Prevention
> at the high level.  Then at the granular level, Network Intrusion
> Prevention versus Network Intrusion Detection, Host Intrusion
> Prevention, Host Intrusion Detection?
>
> Some vendors have mentioned the use of "black list" vs "white list"
> This is appears a bit more subjective, and less effective in most
> enterprises since this would require application network traffic
> analysis, and researching all the little .dlls that are associated with
> various applications in order to derive an effective "black list" versus
> "white list" policy.
>
> This then brings me to another point, host integrity checking, this
> technology makes no sense, all it is a simple check for running a
> certain application, patch level, or av engine.  There are various
> vendors out there that offer AV/Patch management solutions that offer a
> enhanced feature set than just a check for a registry.
>
> *points to ponder*
>
> /mark


---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------