RE: True definition of Intrusion Prevention

["Teicher, Mark (Mark)" <teicher () avaya com>]

Actually, it is the cow from "Me, Myself and Irene"..  
How many times did Jim Carrey shoot the cow ??

I agree with your points, except for your point regarding "Holistic
Security".  Holistic security has been stated many time in books and
statements made by Brent Chapman, Marcus Ranum, Steve Bellovin and Bill
Cheswick.  Along the way, others discarded the theory for more marketing
type hype, SANS Top 20, IDS, HIDS, IPS, etc, etc.  But essentially,
everyone is talking about the same thing.  Holistic security is the
theory that drives infosec practitioners to improve security of an
enterprise within the confines of the enterprise.  Look at PKI, very
straight forward architecture, but yet very few enterprise have fully
implemented it.
Same can be said for Single Sign On (SSO).  How many vendors are in that
space?  

A quote from Marcus J. Ranum's book "The Myth of Homeland Security"
Marcus states "If you consider the hundreds or thousands of applications
and crucial files on a given computer or network, you can imagine that
the number of possible combinations for mayhem is literally
astronomical."  (Available via Amazon..[blatant advertisement here, it
is on my recommended book list] :)

Most commercial and open source operating systems and security products
contains countless bugs because when the core architecture was written,
it was designed to be feature rich (i.e. a slick UI,etc), and offer the
customer a few key security features that unless they were really
knowledgeable, a majority of the security features were never enabled,
since Internet enabled services are designed for availability, and not
security.

/cheers

/m
-----Original Message-----
From: Brian Taylor [mailto:drak3 () comcast net] 
Sent: Saturday, January 03, 2004 12:11 AM
To: George Capehart; Teicher, Mark (Mark); Gary Flynn
Cc: focus-ids () securityfocus com
Subject: RE: True definition of Intrusion Prevention

Did that dead horse just twitch again?

***Whips out beating stick***

Yes, I believe that most (if not all of us) agree that this
discussion/debate over IPS is a bit of marketing mixed in with a dollop
of
semantics.  BUT, building slightly on what George said--IPS (or whatever
you
choose to call it) is a move in the right direction for InfoSec.  The
day
where you have an IDS that sees everything short of arson, robbery and
capital murder but it does not do anything other than DETECT is a short
one.

We're finally moving to holistic approaches to security that are going
beyond the layered model of thinking in some cases.  When I visit my
doctor,
she may yell at me or put me on a diet due to my poor eating habits.
This
PREVENTS things like heart disease, diabetes and Doritos poisoning (eat
enough of em...it's possible).  The old way was to treat the illnesses
as
they occur.  Now, we realize that X causes Y which can lead to Z.  We
now
try to head it off at the pass.  So preventative medicine is what I'd
like
to think that IPS should be.  And looking at trends, it is looking like
we
are headed in that direction.  10 years ago, would the few InfoSec
practitioners mentioned things like policies alongside technology--and
give
them equal weight???  I doubt it.

Call it what you want.  Intrusion Blocking Systems, Intrusion prevention
Systems, whatever.  Is it using a synergistic set of technologies,
policies
and PEOPLE that work as seamlessly as possible to prevent an actual
intrusion or compromise of our systems?  If we're talking hardware or
software, it would not be some egregious crime to call it IPS **as long
as
it fits that criteria**.  Does this firewall work and play well with my
IDS
to prevent compromise of my network?  Whatever one chooses to call it, I
believe that should be our aim.

...and I guess that would be my definition as well. I've never been one
to
be too concerned about labels.


The horse was still kicking slightly when I got here.  I promise!


----------------------------------------------------------------------
Brian Taylor
johnthedwarf () ziplip com
"Sure you can get HIV from a mosquito -- if you have unprotected sex
with
one!"

----------------------------------------------------------------------




-----Original Message-----
From: George Capehart [mailto:gwc () acm org]
Sent: Friday, January 02, 2004 10:57 AM
To: Teicher, Mark (Mark); Gary Flynn
Cc: focus-ids () securityfocus com
Subject: Re: True definition of Intrusion Prevention


On Friday 02 January 2004 09:41 am, Teicher, Mark (Mark) wrote:
> <comments within>

<snip>






---------------------------------------------------------------------------
---------------------------------------------------------------------------