IDS: Re: True definition of Intrusion Prevention

[Gary Flynn <flynngn () jmu edu>]

Teicher, Mark (Mark) wrote:

> What is the difference between Intrusion Detection, Intrusion Prevention
> at the high level. 
Having the ability to block a detected attack instead of just reporting 
on it.
> Then at the granular level, Network Intrusion
> Prevention versus Network Intrusion Detection, Host Intrusion
> Prevention, Host Intrusion Detection?
Methods for detection in both types of devices are similar, if not 
identical, at the
granular level. What differs is what is done after the detection. An 
inline network
device can block the traffic. A host device may prevent a process from 
running,
accessing certain parts of the system, or accessing the network.

> This then brings me to another point, host integrity checking, this
> technology makes no sense, all it is a simple check for running a
> certain application, patch level, or av engine.  There are various
> vendors out there that offer AV/Patch management solutions that offer a
> enhanced feature set than just a check for a registry.
You seem to be describing a vulnerability check. I consider host 
integrity checking
to be monitoring the integrity of the host's operation. File signatures 
by something
like Tripwire immediately comes to mind. Monitoring open ports. 
Monitoring which
applications access the network. Monitoring critical system libraries, 
configuration
files, and access controls. It is a subset of configuration management 
which also
encompasses patch control.

There are no cut in stone definitions. Determining the suitability of a 
particular
device or application requires an understanding of how it works and the 
system
or network operation on which it will be deployed. Marketing 
oversimplification
is done for those folks who cannot determine that themselves and want to buy
a black box that will solve all their problems choosing from a check-off 
sheet
and save themselves the trouble of hiring the staff that actually understand
the environment...if, indeed, that can be done with today's complex,
interwoven environment and the many levels on which interactions occur.

Its like the false sense of security given first by AV software and lately,
desktop firewalls. They raise the bar and have specific jobs to do but
without an understanding of what they can and cannot do, their effectiveness
is less than what they could be.



---------------------------------------------------------------------------
---------------------------------------------------------------------------