IDS mailing list archives
RE: True definition of Intrusion Prevention
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Tue, 30 Dec 2003 08:25:00 -0700
Richard, Except that most seasoned Intrusion Detection Protects have had the ability to "shun" based on a policy. Intrusion Prevention has not been clearly defined as what it is supposed to do and what actual attacks are Intrusion Prevention class.. /mark -----Original Message----- From: Richard Bejtlich [mailto:richard_bejtlich () yahoo com] Sent: Tuesday, December 30, 2003 5:49 AM To: focus-ids () securityfocus com Subject: RE: True definition of Intrusion Prevention Hello, I like to classify products and principles according to their place in the "security process" [1]: assess -> protect -> detect -> respond "Assess" means implementing policies and procedures and measuring security posture via vulnerability assessment. "Protect" means trying to prevent intrusions, perhaps with filtering bridges and routers, firewalls, and "IPS," some on the host (e.g., systrace) and some on the network. IPS is a progression up the stack in terms of making access control decisions. We started at layers 3 and 4 with IPs and ports, then added stateful inspection, and now some products work more or less at layer 7 doing "deep inspection" beyond layers 3 and 4. On the host we're moving down from userland closer to the kernel. Protection is active; it alters the environment. "Detect" is where I put all IDS products. "Detect" is passive. We detect cases where prevention has failed. It's "network auditing" and "network security monitoring." In the "response" phase we contain and remediate the intrusion. Humans do this for cases where prevention fails. People get confused because the "protect" phase can make detect and respond steps in order to prevent intrusions. For example, prevention product X detects recon from potential intruder Y and responds by reconfiguring a firewall to shun Y's IP. That's all still protection; the end result was an action that altered the environment. Sincerely, Richard Bejtlich http://www.taosecurity.com [1] I decided to buck the "reinvent the wheel" trend and use someone else's security process terms -- from "Internet Site Security" by Erik Schetina, Ken Green, and Jacob Carlson. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- <Possible follow-ups>
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)