RE: True definition of Intrusion Prevention
Raj_Dhingra_at_NAI.com
Date: 12/30/03
- Previous message: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe in reply to: Teicher, Mark (Mark): "True definition of Intrusion Prevention"
- Next in thread: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Dec 2003 09:15:04 -0800 To: <rgula@tenablesecurity.com>, <teicher@avaya.com>, <focus-ids@securityfocus.com>
Mark,
I agree with Ron. There is considerable confusion created in the market
with different solution providers claiming they provide intrusion
prevention even though each might offer differing product functionality.
There is a white paper that we wrote which provides one perspective.
It's called: "Intrusion Prevention: Myths, Challenges, and
Requirements"
Its towards the bottom of the web page at
http://www.nai.com/us/products/sniffer/product_lit.htm under McAfee
IntruShield.
The views are from a network-based intrusion prevention perspective.
Raj Dhingra
Network Associates.
-----Original Message-----
From: Ron Gula [mailto:rgula@tenablesecurity.com]
Sent: Monday, December 29, 2003 6:05 PM
To: Teicher, Mark (Mark); focus-ids@securityfocus.com
Subject: Re: True definition of Intrusion Prevention
Yep ... "intrusion prevention" is the latest bandwagon marketing folks
are getting into. What makes matters worse is I think that "intrusion
detection" was also mis-labeled from the start. IDS was really "attack
and probe detection" but rarely did they actually detect real
compromises.
Everything from better passwords to extra firewalls can be considered
intrusion prevention. Most of the time, I hear it in when NIDS vendors
are going inline, or firewall vendors are going into the application
layer. In either case, a majority of the customer I speak with are not
deploying anything inline which can negatively effect their
infrastructure. There are some exceptions, but most networks which are
poorly run, are insecure by practice and don't suffer inline security
that well. Other networks that have had a sound security design have
shrugged off worms and attacks without any new technology.
The other area IPS is becoming popular is at the host. Okena (Cisco),
Entercept (NAI), SANA, all of the host firewall guys, the virus guys and
who know who else have solutions to mitigate attacks at the server and
desktop. Some of these guys use rules, AI, mods to the OS, enhanced
firewall ACLs, prayer and reverse engineered alien technology.
What gets me about IPS is how polarizing it is to the enterprise
security industry. There are some really big enterprises out there that
hear Gartner slam the lack of success of IDS, and then look to their
successful IDS deployments. I see the purchase of Gardent by Verisign
and Riptech by Symantec as endorsements of the IDS space. At the same
time, I see a lot of folks halting NIDS/HIDS deployments in favor of
enhanced configuration/vulnerability management or even outsourceing IT
altogether.
Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
At 09:44 AM 12/28/2003 -0700, Teicher, Mark (Mark) wrote:
>Again, I am broaching the subject of what is the true definition of
>Intrusion Prevention. Can someone on the list please enlighten me. It
>appears the definition of IPS has yet been re-formed by various market
>analysts and some vendors.
>
>Normalization and anomaly detection is not "Intrusion Prevention"..
>
>What is the difference between Intrusion Detection, Intrusion
>Prevention at the high level. Then at the granular level, Network
>Intrusion Prevention versus Network Intrusion Detection, Host Intrusion
>Prevention, Host Intrusion Detection?
>
>Some vendors have mentioned the use of "black list" vs "white list"
>This is appears a bit more subjective, and less effective in most
>enterprises since this would require application network traffic
>analysis, and researching all the little .dlls that are associated with
>various applications in order to derive an effective "black list"
>versus "white list" policy.
>
>This then brings me to another point, host integrity checking, this
>technology makes no sense, all it is a simple check for running a
>certain application, patch level, or av engine. There are various
>vendors out there that offer AV/Patch management solutions that offer a
>enhanced feature set than just a check for a registry.
>
>*points to ponder*
>
>/mark
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe in reply to: Teicher, Mark (Mark): "True definition of Intrusion Prevention"
- Next in thread: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
