Re: True definition of Intrusion Prevention

From: Gary Flynn (flynngn_at_jmu.edu)
Date: 12/30/03

  • Next message: Gary Flynn: "Re: True definition of Intrusion Prevention" 
    Date: Tue, 30 Dec 2003 08:05:10 -0500

    Teicher, Mark (Mark) wrote:

    >What is the difference between Intrusion Detection, Intrusion Prevention
    >at the high level.
    >
    Having the ability to block a detected attack instead of just reporting
    on it.

    > Then at the granular level, Network Intrusion
    >Prevention versus Network Intrusion Detection, Host Intrusion
    >Prevention, Host Intrusion Detection?
    >
    Methods for detection in both types of devices are similar, if not
    identical, at the
    granular level. What differs is what is done after the detection. An
    inline network
    device can block the traffic. A host device may prevent a process from
    running,
    accessing certain parts of the system, or accessing the network.

    >This then brings me to another point, host integrity checking, this
    >technology makes no sense, all it is a simple check for running a
    >certain application, patch level, or av engine. There are various
    >vendors out there that offer AV/Patch management solutions that offer a
    >enhanced feature set than just a check for a registry.
    >
    You seem to be describing a vulnerability check. I consider host
    integrity checking
    to be monitoring the integrity of the host's operation. File signatures
    by something
    like Tripwire immediately comes to mind. Monitoring open ports.
    Monitoring which
    applications access the network. Monitoring critical system libraries,
    configuration
    files, and access controls. It is a subset of configuration management
    which also
    encompasses patch control.

    There are no cut in stone definitions. Determining the suitability of a
    particular
    device or application requires an understanding of how it works and the
    system
    or network operation on which it will be deployed. Marketing
    oversimplification
    is done for those folks who cannot determine that themselves and want to buy
    a black box that will solve all their problems choosing from a check-off
    ***
    and save themselves the trouble of hiring the staff that actually understand
    the environment...if, indeed, that can be done with today's complex,
    interwoven environment and the many levels on which interactions occur.

    Its like the false sense of security given first by AV software and lately,
    desktop firewalls. They raise the bar and have specific jobs to do but
    without an understanding of what they can and cannot do, their effectiveness
    is less than what they could be.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Gary Flynn: "Re: True definition of Intrusion Prevention"