IDS mailing list archives
Re: True definition of Intrusion Prevention
From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 30 Dec 2003 08:05:10 -0500
Teicher, Mark (Mark) wrote:
Having the ability to block a detected attack instead of just reporting on it.What is the difference between Intrusion Detection, Intrusion Preventionat the high level.
Methods for detection in both types of devices are similar, if not identical, at the granular level. What differs is what is done after the detection. An inline network device can block the traffic. A host device may prevent a process from running,Then at the granular level, Network Intrusion Prevention versus Network Intrusion Detection, Host Intrusion Prevention, Host Intrusion Detection?
accessing certain parts of the system, or accessing the network.
You seem to be describing a vulnerability check. I consider host integrity checking to be monitoring the integrity of the host's operation. File signatures by something like Tripwire immediately comes to mind. Monitoring open ports. Monitoring which applications access the network. Monitoring critical system libraries, configuration files, and access controls. It is a subset of configuration management which alsoThis then brings me to another point, host integrity checking, this technology makes no sense, all it is a simple check for running a certain application, patch level, or av engine. There are various vendors out there that offer AV/Patch management solutions that offer a enhanced feature set than just a check for a registry.
encompasses patch control.There are no cut in stone definitions. Determining the suitability of a particular device or application requires an understanding of how it works and the system or network operation on which it will be deployed. Marketing oversimplification
is done for those folks who cannot determine that themselves and want to buya black box that will solve all their problems choosing from a check-off sheet
and save themselves the trouble of hiring the staff that actually understand the environment...if, indeed, that can be done with today's complex, interwoven environment and the many levels on which interactions occur. Its like the false sense of security given first by AV software and lately, desktop firewalls. They raise the bar and have specific jobs to do but without an understanding of what they can and cannot do, their effectiveness is less than what they could be. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- <Possible follow-ups>
- Re: True definition of Intrusion Prevention Ron Gula (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 29)
- Re: True definition of Intrusion Prevention Gary Flynn (Dec 30)
- RE: True definition of Intrusion Prevention Craig H. Rowland (Dec 30)
- RE: True definition of Intrusion Prevention Richard Bejtlich (Dec 30)
- Re: True definition of Intrusion Prevention Bamm Visscher (Dec 30)
- RE: True definition of Intrusion Prevention Teicher, Mark (Mark) (Dec 30)
- RE: True definition of Intrusion Prevention Frank Knobbe (Dec 30)
- RE: True definition of Intrusion Prevention Raj_Dhingra (Dec 30)
(Thread continues...)