Re: True definition of Intrusion Prevention

["Brad McGary" <bmcgary () secondfront net>]

I agree with your comments but would offer the thought process regarding the
structure of an attack scenario. Most attacks start with recon and end with
target specific exploits. I've been using a commercial version of Hogwash
for about two years and have significantly reduced the number of successful
attacks launched against our environments by preventing the more prolific
recon tools from returning target intelligence. As for the worm attacks
we've been relatively successful at stopping these since they mostly utilize
exploits which have mature snort signatures. In the end there's no panacea
and we see our share of false positives and false negatives I'm sure. Please
take these comments as just my specific experience and understand I
certainly don't want to engage in any heated debates.



----- Original Message ----- 
From: "George Capehart" <gwc () acm org>
To: "Gary Flynn" <flynngn () jmu edu>
Cc: <focus-ids () securityfocus com>
Sent: Tuesday, December 30, 2003 5:02 PM
Subject: Re: True definition of Intrusion Prevention


On Tuesday 30 December 2003 08:05 am, Gary Flynn wrote:
> Teicher, Mark (Mark) wrote:
> > What is the difference between Intrusion Detection, Intrusion
> > Prevention at the high level.
>
> Having the ability to block a detected attack instead of just
> reporting on it.

That's not intrusion *prevention*, it's intrusion *blocking*.  ;-)

I'm being pedantic here for two reasons:
a) I think the definition you have provided is the one that the
marketeers implicitly use, and
b) *blocking* an attack in process is */not/* the same as preventing an
attack in the first place.

An attack is */prevented/* if it doesn't or can't happen.  There are two
broad classes of means of preventing attacks:
a) take out the attacker(s) before they attack or
b) harden the target such that it is not vulnerable to the attack.

Don't get me wrong, I don't have a problem with "intrusion blocking" if
it is successful . . . that is, if the attack is detected in time and
the appropriate "blocking mechanisms" are available.  I'd just rather
call a duck a duck . . . ;-)  I think it is possible to build an
"intrusion blocking device."  Intrusion prevention is a process.
(Apologies to Bruce Schneier ;-)  )

I wouldn't have taken this up, but I think it is more important to make
the distinction between "blocking" and "prevention" than is made in the
hype.  They just aren't equivalent.  Preventing an attack means that
action has been taken to keep the attack from happening.  Blocking an
attack means that the attack has been launched and one hopes that one
has all of the mechanisms in place necessary to keep the attack from
succeeding . . .

My $0.02 USD.

Best regards,

George Capehart

---------------------------------------------------------------------------
---------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------