IDS mailing list archives
RE: True definition of Intrusion Prevention
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Tue, 30 Dec 2003 11:37:03 -0700
Raj, Thanks for the pointer. I rather enjoyed the whitepaper. I am very confused, it is hard to really state the market. Some people state "IPS" is the next hot ticket.. Really, just an evolution.. :) /m -----Original Message----- From: Raj_Dhingra () NAI com [mailto:Raj_Dhingra () NAI com] Sent: Tuesday, December 30, 2003 10:15 AM To: rgula () tenablesecurity com; Teicher, Mark (Mark); focus-ids () securityfocus com Subject: RE: True definition of Intrusion Prevention Mark, I agree with Ron. There is considerable confusion created in the market with different solution providers claiming they provide intrusion prevention even though each might offer differing product functionality. There is a white paper that we wrote which provides one perspective. It's called: "Intrusion Prevention: Myths, Challenges, and Requirements" Its towards the bottom of the web page at http://www.nai.com/us/products/sniffer/product_lit.htm under McAfee IntruShield. The views are from a network-based intrusion prevention perspective. Raj Dhingra Network Associates. -----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Monday, December 29, 2003 6:05 PM To: Teicher, Mark (Mark); focus-ids () securityfocus com Subject: Re: True definition of Intrusion Prevention Yep ... "intrusion prevention" is the latest bandwagon marketing folks are getting into. What makes matters worse is I think that "intrusion detection" was also mis-labeled from the start. IDS was really "attack and probe detection" but rarely did they actually detect real compromises. Everything from better passwords to extra firewalls can be considered intrusion prevention. Most of the time, I hear it in when NIDS vendors are going inline, or firewall vendors are going into the application layer. In either case, a majority of the customer I speak with are not deploying anything inline which can negatively effect their infrastructure. There are some exceptions, but most networks which are poorly run, are insecure by practice and don't suffer inline security that well. Other networks that have had a sound security design have shrugged off worms and attacks without any new technology. The other area IPS is becoming popular is at the host. Okena (Cisco), Entercept (NAI), SANA, all of the host firewall guys, the virus guys and who know who else have solutions to mitigate attacks at the server and desktop. Some of these guys use rules, AI, mods to the OS, enhanced firewall ACLs, prayer and reverse engineered alien technology. What gets me about IPS is how polarizing it is to the enterprise security industry. There are some really big enterprises out there that hear Gartner slam the lack of success of IDS, and then look to their successful IDS deployments. I see the purchase of Gardent by Verisign and Riptech by Symantec as endorsements of the IDS space. At the same time, I see a lot of folks halting NIDS/HIDS deployments in favor of enhanced configuration/vulnerability management or even outsourceing IT altogether. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com At 09:44 AM 12/28/2003 -0700, Teicher, Mark (Mark) wrote:
Again, I am broaching the subject of what is the true definition of Intrusion Prevention. Can someone on the list please enlighten me. It
appears the definition of IPS has yet been re-formed by various market analysts and some vendors. Normalization and anomaly detection is not "Intrusion Prevention".. What is the difference between Intrusion Detection, Intrusion Prevention at the high level. Then at the granular level, Network Intrusion Prevention versus Network Intrusion Detection, Host Intrusion
Prevention, Host Intrusion Detection? Some vendors have mentioned the use of "black list" vs "white list" This is appears a bit more subjective, and less effective in most enterprises since this would require application network traffic analysis, and researching all the little .dlls that are associated with
various applications in order to derive an effective "black list" versus "white list" policy. This then brings me to another point, host integrity checking, this technology makes no sense, all it is a simple check for running a certain application, patch level, or av engine. There are various vendors out there that offer AV/Patch management solutions that offer a
enhanced feature set than just a check for a registry. *points to ponder* /mark
------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: True definition of Intrusion Prevention, (continued)
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Thompson, Jimi (Dec 30)
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)