IDS mailing list archives
RE: True definition of Intrusion Prevention
From: "Bohling James CONT JBC" <james.bohling () JBC JFCOM MIL>
Date: Fri, 2 Jan 2004 15:08:02 -0500
I am sorry, but I do not agree with your position on prevention and blocking. Yes you are correct that --"preventing an attack means that action has been taken to keep the attack from happening and/or an attack is */prevented/* if it doesn't or can't happen"-- However, look at what the term is semantically described: "Intrusion Prevention" -- It is not Attack Prevention. An attack is the action taken to attempt an intrusion; the intrusion is the post-attack goal. So if we look at that "chicken and egg scenario" intrusion prevention can happen by blocking an attacker via IP, application, port, protocol, etc. That was my comment; this is my $.02 USD : ) Yes, marketers (vendors) usually have an advantage with naming conventions but so what; if customer (A) wants an intrusion blocking device and customer (B) wants an intrusion prevention device then give it to them. We all know what the market is wanting in the IPS arena; whether it is cohesive and/or Websters defined is not all that important. The IPS market wants more control over the IDS and more active protection from the IDS in the form of blocking, reporting, logging, dynamic scanning for IA Vulnerability, anomaly detection, and etc. This, even though not Websters certified, tells me that a marketer (vendor) wants to sell this bundled and added functionality to the IDS as an Intrusion Prevention Solution and in the same deck wants us (security professionals) to design, code, QA, and implement it. You are never going to beat a top salesman in the sales dept. It's not what we do. ED, Joe, Paul, Just wanted to include you in on a discussion I have been monitoring for a week or two on Security Focus. Thank You, James T. Bohling Network Security Engineer - JBC CoE (W) 757-638.4032 Web: www.jbc.jfcom.mil This email was produced and manufactured in America, and is a one-of-a-kind original. -----Original Message----- From: George Capehart [mailto:gwc () acm org] Sent: Tuesday, December 30, 2003 6:03 PM To: Gary Flynn Cc: focus-ids () securityfocus com Subject: Re: True definition of Intrusion Prevention On Tuesday 30 December 2003 08:05 am, Gary Flynn wrote:
Teicher, Mark (Mark) wrote:What is the difference between Intrusion Detection, Intrusion Prevention at the high level.Having the ability to block a detected attack instead of just reporting on it.
That's not intrusion *prevention*, it's intrusion *blocking*. ;-) I'm being pedantic here for two reasons: a) I think the definition you have provided is the one that the marketeers implicitly use, and b) *blocking* an attack in process is */not/* the same as preventing an attack in the first place. An attack is */prevented/* if it doesn't or can't happen. There are two broad classes of means of preventing attacks: a) take out the attacker(s) before they attack or b) harden the target such that it is not vulnerable to the attack. Don't get me wrong, I don't have a problem with "intrusion blocking" if it is successful . . . that is, if the attack is detected in time and the appropriate "blocking mechanisms" are available. I'd just rather call a duck a duck . . . ;-) I think it is possible to build an "intrusion blocking device." Intrusion prevention is a process. (Apologies to Bruce Schneier ;-) ) I wouldn't have taken this up, but I think it is more important to make the distinction between "blocking" and "prevention" than is made in the hype. They just aren't equivalent. Preventing an attack means that action has been taken to keep the attack from happening. Blocking an attack means that the attack has been launched and one hopes that one has all of the mechanisms in place necessary to keep the attack from succeeding . . . My $0.02 USD. Best regards, George Capehart ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: True definition of Intrusion Prevention George Capehart (Jan 02)
- Re: True definition of Intrusion Prevention Mike Poor (Jan 02)
- Re: True definition of Intrusion Prevention Brad McGary (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- <Possible follow-ups>
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 02)
- Re: True definition of Intrusion Prevention George Capehart (Jan 02)
- RE: True definition of Intrusion Prevention Brian Taylor (Jan 05)
- Re: True definition of Intrusion Prevention Gary Flynn (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 02)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 05)
- RE: True definition of Intrusion Prevention Bohling James CONT JBC (Jan 05)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 05)
- RE: True definition of Intrusion Prevention Fengmin_Gong (Jan 05)
- RE: True definition of Intrusion Prevention Fengmin_Gong (Jan 05)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- Re: True definition of Intrusion Prevention Frank Knobbe (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
- RE: True definition of Intrusion Prevention Bohling James CONT JBC (Jan 05)
- Re: True definition of Intrusion Prevention George Capehart (Jan 05)
(Thread continues...)