IDS mailing list archives

Previous By Date Next
Previous By Thread Next

True definition of Intrusion Prevention

From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Sun, 28 Dec 2003 09:44:54 -0700
Again, I am broaching the subject of what is the true definition of
Intrusion Prevention.  Can someone on the list please enlighten me.  It
appears the definition of IPS has yet been re-formed by various market
analysts and some vendors.  

Normalization and anomaly detection is not "Intrusion Prevention"..

What is the difference between Intrusion Detection, Intrusion Prevention
at the high level.  Then at the granular level, Network Intrusion
Prevention versus Network Intrusion Detection, Host Intrusion
Prevention, Host Intrusion Detection?

Some vendors have mentioned the use of "black list" vs "white list"
This is appears a bit more subjective, and less effective in most
enterprises since this would require application network traffic
analysis, and researching all the little .dlls that are associated with
various applications in order to derive an effective "black list" versus
"white list" policy. 

This then brings me to another point, host integrity checking, this
technology makes no sense, all it is a simple check for running a
certain application, patch level, or av engine.  There are various
vendors out there that offer AV/Patch management solutions that offer a
enhanced feature set than just a check for a registry.

*points to ponder*

/mark   

---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: