Re: True definition of Intrusion Prevention

[George Capehart <gwc () acm org>]

On Friday 02 January 2004 09:41 am, Teicher, Mark (Mark) wrote:
> <comments within>

<snip>

> <Yes, that was the point, that marketing type people have blinded me
> with their definition, that I am completely confused and dumbfounded>

*grin*  Well, then, I guess that disqualifies you from being a 
Gartner-reading pointy-haired manager . . .  ;->

<snip>

> <Prevention, my mother always told me always use "protection", but to
> this day, I am not quite sure what she meant>\

Heh.  My dad used to tell me the same thing . . . but he made *really* 
sure that I knew what he meant.  *wince*

<snip>

> <The term "Intrusion Prevention" isn't clearly defined, as you have
> observed, but "Intrusion Blocking" doesn't ring the ears like the
> marketing folks what you to do"

Ah, yes!  *Now* I'm beginning to understand . . .

> Don't get me wrong, I don't have a problem with "intrusion blocking"
> if it is successful . . . that is, if the attack is detected in time
> and the appropriate "blocking mechanisms" are available.  I'd just
> rather call a duck a duck . . . ;-)  I think it is possible to build
> an "intrusion blocking device."  Intrusion prevention is a process.
> (Apologies to Bruce Schneier ;-)  )
>
> <"Intrusion Prevention is a process??"  What kind of blocking
> mechanisms are you referring to ??  I have never met a duck who
> dabbles in information security, I have heard of a cat who swipes at
> their owner when they program insecure code :)>

What I really had in mind when I said that was that, to me at least, if 
there really could be such a thing as Intrusion Prevention (TM), that 
sort of implies staying ahead of the attacker.  That is a process.  One 
of the tools the process could/would use is "intrusion blocking."  
Another thing the process would/could do is design and build systems 
that don't have weaknesses that could be exploited in intrusion 
attacks.  Another is to neutralize the attackers before they attack.  
*All* of this, though is a process.  Preventing an intrusion by 
blocking implies understanding the vulnerabilities of the system, the 
corresponding attack vectors and putting layers of defense in place 
that will either block outright or "defang" the attack.  But the world 
isn't static, new vulnerabilities are exposed and new attacks are 
concocted daily.  Staying on top of them takes constant effort and 
implementing defenses and installing patches is an ongoing process.  
This is why I feel that Intrusion Prevention (TM) is a process . . .

<snip>

> <what distinction??  The marketing folks created a term that no one
> in the industry understands.  Blocking is often referring to as TCP
> Shunning, but since this the New Year's day, why not start the year
> off without falling off the soapbox :)>

*snicker* *snicker* *guffaw* *guffaw*

/g

BTW, a happy and prosperous New Year to all.


---------------------------------------------------------------------------
---------------------------------------------------------------------------