RE: True definition of Intrusion

["Golomb, Gary" <GGolomb () enterasys com>]

> Hello,

Hi Craig (and list)... It's been a while... :)

> > Here is the some of the attack patterns type signatures being
> > classified by many vendors who are no pushin Intrusion
> > Prevention attack detection
> >
> > FIN without ACK Attack
> > FTP Buffer Overflow attack
> > ICMP Flood Attack
> > ICMP Fragment Attack
> > ICMP Source Session Limit
> > ICMP Sweep Attack
> > Invalid URL Attack
> > IP Fragment
> > IP Land Attack
> > IP Loose Source Record Routing
> > IP Record routing
> > IP Security Option
> > IP Strict Source Record Routing
> > IP Timestamp Option
> > Large ICMP Packet Attack
> > Ping of Death Attack
> > POP2 Buffer Overflow Attack
> > POP3 Buffer Overflow Attack
> > Port Scan Attack
> > SYN Flood Attack
> > SYN Fragment Attack
> > TCP with No Flag Attack
> > UDP Flood Attack
> > UDP Land Attack
> > UDP Source Session Limit
> > Unknown IP protocol
> >
> > None of the listed above, should be classified as Intrusion
> > Prevention, since they are really in essence "glorified"
> > Intrusion Detection class patterns. Most of the listed above
>
> Why not? If it is a mechanism of intrusion, and can be stopped before
> successful execution, then it has been prevented.

Out of context, no one would disagree. How could anyone argue that
stopping activity well before it becomes an "intrusion" is not intrusion
prevention?!

However, in context ("context" being the above list of "intrusions"
[biting cheek, really hard]), is a different story. Paraphrasing what
Mark said - most all of those "attacks" (using that term as loosely as
possible) can be trivially mitigated in most routers and switches,
including an $80 D-Link. 

This kind of brings us to the big joke of network IPS as it stands today
("IPS" being network-based enterprise class perimeter-focused solutions
that are typically discussed). Most people *assume* that since an IDS
can audit 1000's of different types of potential attacks, it would
follow that an IPS can stop the same number. IPS vendors routinely
capitalize on naive assumptions along these lines, and before you know
it, you have organizations like Gartner echoing vendor marketing jingles
without actually performing some sort of validation testing themselves. 

I *LOVE* how every term in the vendor-supplied list at the start of this
email ends with the word "attack"!!! Really think about that one for a
minute... Have you ever pulled back the hood of an IPS to see what
RELEVANT activity it *really* will and will not stop? Many of these
[network] devices are great at stopping "recon" and other "early"
activity. However, they also are making the assumption that hackers
follow the methodologies described in Hacking Exposed and related
introductory security texts. The only people I routinely see employing
such a structured approach to hacking are security people - not hackers.
And yes, before any IPS zealots jump down my throat, there are other
types of activities that can be stopped (besides recon), but on *no*
scale *anywhere* near the number of activities that can be audited with
an IDS - good, bad, or indifferent. 

And forget structure for a minute... Stops "IP Land Attack" AAAHHHHH!
Can I really become a millionaire by developing a HIPS for Windows for
Workgroups 3.11??? Ok, that's a little extreme (however, still taken
from the list above), but does "significance" have any meaning to anyone
these days? 

So is the ability to stop a few attacks acceptable enough? Guess it
entirely depends on your threshold. From the perspective of a vendor,
I'd don't want to be responsible for developing a product that is
deliberately limited - vendors should be developing the most thorough
solutions conceivable - which means developing solutions around the
threats, not marketing messages. It's unfortunate how blatantly this
trend is declining. 

> > I tend to agree, "true" Intrusion Prevention could be defined
> > as "alien" technology, since known of the vendors can agree
> > to what Intrusion Prevention really is.  I guess marketing
> > folks/marketing communication folks will have something to do
> > for the next few months and figure out what "snake oil" they
> > can assemble.
>
> Vendors don't have to agree on anything and rarely do. The customer
> decides with their pocketbook. 

I owe you a beer. 

> technologies just reported problems if you were lucky). With the
> widescale proliferation of worms, e-mail scams, etc. the benefit is
> becoming very obvious to many people that you need intrusion
prevention
> technology.

Is preventing each of those threats at the location where an IDS has
historically been placed the best solution? I just snipped a bunch of
text that points to "no" being the answer. We keep going back to dealing
with these threats at the host, gateway, and other devices. In other
words, more secure devices (network infrastructure devices as well as
end systems). That's not IPS - that's a better and more secure system
design from the beginning, and it doesn't require additional
cost/administration overhead for perimeter-centric solutions. 

Then why have an IDS? Auditing, log reduction, tracking, and forensics
to name a few reasons. It's not that IDS was misrepresented from the
beginning (as others stated early in this thread). I clearly remember
leaning to use IDS years ago as a network auditing, surveillance,
reporting, and forensics tool. I think some of the newer vendors have
mis-sold themselves from the beginning, and that has created a host of
new problems for vendors and end-users alike. 

Anyways... This thread can go in circles for weeks, and I bet $10 it
won't stop until it's eventually killed. Since everyone has a different
threshold (or understanding, which is worse when it's a vendor in
question) for what they consider an "attack," the definitions for
"intrusion" will be pretty different too. Because of that, good luck
trying to get consensus on what a prevention "system" actually is -
especially with vendors trying to push sales on this list. 

-gary



---------------------------------------------------------------------------
---------------------------------------------------------------------------