Monday, April 04, 2005

Review of Intrusion Prevention and Active Response Posted

Amazon.com just posted my four star review of Intrusion Prevention and Active Response. From the review:

"Intrusion Prevention and Active Response (IPAAR) is a good book, as long as you confine your expectations to open source solutions. The foreword says 'Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone, or CrossTec.' This foreword was the first time I had heard of several of these products, but unfortunately none of them receive any coverage at all in IPAAR. Aside from a short discussion of the Enterasys Web IPS, eEye's SecureIIS, and improvements in Microsoft IIS 6.0, IPAAR squarely concentrates on open source products. Nevertheless, the book does a better job covering so-called prevention solutions than the previous book with 'prevention' in the title, e.g., Osborne's Intrusion Detection and Prevention."

Regular blog readers know I consider network-based "intrusion prevention systems" to be layer 7 firewalls. If a network-based device is making an access control decision, it is a firewall. Generically speaking, any device which makes access control decisions is a policy enforcement system (PES?). We simply have a popular name for a PES that operates at the network level -- it's a firewall. Just as network PES enforces policy on packets, a host PES enforces policy on system calls and other operating system activities. I think host PES accurately describes Niels Provos' Systrace, which "enforces system call policies for applications by constraining the application's access to the system." I'm not sure that host PES accurately describes the stack-smashing protector, aka ProPolice.

I would like nothing better than to completely abolish the term "intrusion prevention system." Isn't every part of the security process trying to prevent intrusions? I think well-written code, or at least applying patches, is the best way to prevent intrusions to systems exposed to hostile users. Does that mean Windows patch management is an intrusion prevention system? Argh.

1 comment:

Anonymous said...

I'd agree 100% with what you say. Almost everything we do in security is about preventing intrusion(s). I also predict that some one/vendor might coin the term Threat Mitigation System soon to describe existing security implementation.

-
adli , kuala lumpur