RE: True definition of Intrusion Prevention

From: Teicher, Mark (Mark) (teicher_at_avaya.com)
Date: 01/02/04

  • Next message: Alvin Oga: "Re: IDS testing methodologies"
    Date: Fri, 2 Jan 2004 07:41:50 -0700
    To: "George Capehart" <gwc@acm.org>, "Gary Flynn" <flynngn@jmu.edu>
    
    

    <comments within>

    -----Original Message-----
    From: George Capehart [mailto:gwc@acm.org]
    Sent: Tuesday, December 30, 2003 4:03 PM
    To: Gary Flynn
    Cc: focus-ids@securityfocus.com
    Subject: Re: True definition of Intrusion Prevention

    On Tuesday 30 December 2003 08:05 am, Gary Flynn wrote:
    > Teicher, Mark (Mark) wrote:
    > >What is the difference between Intrusion Detection, Intrusion
    > > Prevention at the high level.
    >
    > Having the ability to block a detected attack instead of just
    > reporting on it.

    That's not intrusion *prevention*, it's intrusion *blocking*. ;-)

    I'm being pedantic here for two reasons:
    a) I think the definition you have provided is the one that the
    marketeers implicitly use, and

    <Yes, that was the point, that marketing type people have blinded me
    with their definition, that I am completely confused and dumbfounded>
     
    b) *blocking* an attack in process is */not/* the same as preventing an
    attack in the first place.

    <Prevention, my mother always told me always use "protection", but to
    this day, I am not quite sure what she meant>

    An attack is */prevented/* if it doesn't or can't happen. There are two

    broad classes of means of preventing attacks:
    a) take out the attacker(s) before they attack or
    b) harden the target such that it is not vulnerable to the attack.

    <The term "Intrusion Prevention" isn't clearly defined, as you have
    observed, but "Intrusion Blocking" doesn't ring the ears like the
    marketing folks what you to do"

    Don't get me wrong, I don't have a problem with "intrusion blocking" if
    it is successful . . . that is, if the attack is detected in time and
    the appropriate "blocking mechanisms" are available. I'd just rather
    call a duck a duck . . . ;-) I think it is possible to build an
    "intrusion blocking device." Intrusion prevention is a process.
    (Apologies to Bruce Schneier ;-) )

    <"Intrusion Prevention is a process??" What kind of blocking mechanisms
    are you referring to ?? I have never met a duck who dabbles in
    information security, I have heard of a cat who swipes at their owner
    when they program insecure code :)>

    I wouldn't have taken this up, but I think it is more important to make
    the distinction between "blocking" and "prevention" than is made in the
    hype. They just aren't equivalent. Preventing an attack means that
    action has been taken to keep the attack from happening. Blocking an
    attack means that the attack has been launched and one hopes that one
    has all of the mechanisms in place necessary to keep the attack from
    succeeding . . .

    <what distinction?? The marketing folks created a term that no one in
    the industry understands. Blocking is often referring to as TCP
    Shunning, but since this the New Year's day, why not start the year off
    without falling off the soapbox :)>

    My $0.02 USD.

    Best regards,

    George Capehart

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Alvin Oga: "Re: IDS testing methodologies"

    Relevant Pages

    • RE: True definition of Intrusion Prevention
      ... It detected lots of attacks that were more or less false positives due ... True definition of Intrusion Prevention ... detection with real-time blocking. ...
      (Focus-IDS)
    • RE: True definition of Intrusion Prevention
      ... > FIN without ACK Attack ... > None of the listed above, should be classified as Intrusion ... > measures at the network device levels (i.e. ... Again, not really Intrusion Prevention. ...
      (Focus-IDS)
    • RE: True definition of Intrusion Prevention
      ... --"preventing an attack means that action has been taken to keep the ... Prevention" -- It is not Attack Prevention. ... An attack is the action taken to attempt an intrusion; ... intrusion prevention can happen by blocking an attacker via IP, ...
      (Focus-IDS)
    • Re: True definition of Intrusion Prevention
      ... >>What is the difference between Intrusion Detection, ... attack in the first place. ... the appropriate "blocking mechanisms" are available. ... Intrusion prevention is a process. ...
      (Focus-IDS)
    • RE: True definition of Intrusion
      ... >> Prevention attack detection ... >> FIN without ACK Attack ... >> None of the listed above, should be classified as Intrusion ... IPS vendors routinely ...
      (Focus-IDS)