RE: True definition of Intrusion Prevention
From: Teicher, Mark (Mark) (teicher_at_avaya.com)
Date: 01/02/04
- Previous message: Bob Walder: "RE: IDS testing methodologies"
- Next in thread: George Capehart: "Re: True definition of Intrusion Prevention"
- Reply: George Capehart: "Re: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe reply: Bohling James CONT JBC: "RE: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Reply: Gary Flynn: "Re: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe reply: Fengmin_Gong_at_NAI.com: "RE: True definition of Intrusion Prevention"
- Maybe reply: Fengmin_Gong_at_NAI.com: "RE: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe reply: Bohling James CONT JBC: "RE: True definition of Intrusion Prevention"
- Maybe reply: Vigilant Labs: "RE: True definition of Intrusion Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 Jan 2004 07:41:50 -0700 To: "George Capehart" <gwc@acm.org>, "Gary Flynn" <flynngn@jmu.edu>
<comments within>
-----Original Message-----
From: George Capehart [mailto:gwc@acm.org]
Sent: Tuesday, December 30, 2003 4:03 PM
To: Gary Flynn
Cc: focus-ids@securityfocus.com
Subject: Re: True definition of Intrusion Prevention
On Tuesday 30 December 2003 08:05 am, Gary Flynn wrote:
> Teicher, Mark (Mark) wrote:
> >What is the difference between Intrusion Detection, Intrusion
> > Prevention at the high level.
>
> Having the ability to block a detected attack instead of just
> reporting on it.
That's not intrusion *prevention*, it's intrusion *blocking*. ;-)
I'm being pedantic here for two reasons:
a) I think the definition you have provided is the one that the
marketeers implicitly use, and
<Yes, that was the point, that marketing type people have blinded me
with their definition, that I am completely confused and dumbfounded>
b) *blocking* an attack in process is */not/* the same as preventing an
attack in the first place.
<Prevention, my mother always told me always use "protection", but to
this day, I am not quite sure what she meant>
An attack is */prevented/* if it doesn't or can't happen. There are two
broad classes of means of preventing attacks:
a) take out the attacker(s) before they attack or
b) harden the target such that it is not vulnerable to the attack.
<The term "Intrusion Prevention" isn't clearly defined, as you have
observed, but "Intrusion Blocking" doesn't ring the ears like the
marketing folks what you to do"
Don't get me wrong, I don't have a problem with "intrusion blocking" if
it is successful . . . that is, if the attack is detected in time and
the appropriate "blocking mechanisms" are available. I'd just rather
call a duck a duck . . . ;-) I think it is possible to build an
"intrusion blocking device." Intrusion prevention is a process.
(Apologies to Bruce Schneier ;-) )
<"Intrusion Prevention is a process??" What kind of blocking mechanisms
are you referring to ?? I have never met a duck who dabbles in
information security, I have heard of a cat who swipes at their owner
when they program insecure code :)>
I wouldn't have taken this up, but I think it is more important to make
the distinction between "blocking" and "prevention" than is made in the
hype. They just aren't equivalent. Preventing an attack means that
action has been taken to keep the attack from happening. Blocking an
attack means that the attack has been launched and one hopes that one
has all of the mechanisms in place necessary to keep the attack from
succeeding . . .
<what distinction?? The marketing folks created a term that no one in
the industry understands. Blocking is often referring to as TCP
Shunning, but since this the New Year's day, why not start the year off
without falling off the soapbox :)>
My $0.02 USD.
Best regards,
George Capehart
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Bob Walder: "RE: IDS testing methodologies"
- Next in thread: George Capehart: "Re: True definition of Intrusion Prevention"
- Reply: George Capehart: "Re: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe reply: Bohling James CONT JBC: "RE: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Reply: Gary Flynn: "Re: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe reply: Fengmin_Gong_at_NAI.com: "RE: True definition of Intrusion Prevention"
- Maybe reply: Fengmin_Gong_at_NAI.com: "RE: True definition of Intrusion Prevention"
- Maybe reply: Teicher, Mark (Mark): "RE: True definition of Intrusion Prevention"
- Maybe reply: Bohling James CONT JBC: "RE: True definition of Intrusion Prevention"
- Maybe reply: Vigilant Labs: "RE: True definition of Intrusion Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
