Next-generation intrusion prevention: The pre-attack period

At a macro-level, configuration management is perhaps the best term to describe the activities associated with this phase – although the case could also be made for calling it vulnerability management. Regardless, for our purposes the pre-attack period can logically be divided into two separate timeframes.

Assessments are typically made relatively long before an attack (i.e., days, weeks) to establish proper configuration of the computing environment. This entails identifying discrepancies from established policies as well as vulnerabilities, both those that are the result of coding deficiencies and those that are the result of configuration "errors." Various scanning technologies are applicable and findings are subsequently addressed, typically by implementing patches, re-configuring affected devices or re-configuring upstream security devices.

Clearly these are all positive, preventive measures. Yet they describe a conventional approach. It is based on periodic snapshots and is therefore diminishing in value as the time between vulnerability discovery and the appearance of an associated exploit consistently shrinks. In contrast, a defining characteristic for next-generation intrusion prevention is the ability to significantly reduce the period between assessments, ideally offering some degree of always-on, passive scanning capability in conjunction with on-demand, highly-targeted active scanning.

The second part of the pre-attack period occurs immediately prior to a potential attack. This is the domain of conventional access control tools such as firewalls and routers with ACLs that can stop an imminent attack as a matter of routine enforcement of the rules that comprise their configuration. By no means a sufficient defense against attacks, these tools are still very effective in terms of making the problem space more manageable. As will be discussed in part three, there is also the potential to use them more dynamically to assist with attack mitigation.

In the next installments we'll take a closer look at the technologies and processes associated with the attack and post-attack periods.

NEXT-GENERATION INTRUSION PREVENTION

  A continuum of capabilities
  The pre-attack period
  Time zero (during the attack)
  The post-attack period
  The power of an integrated system

ABOUT THE AUTHOR:

Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Detection System (www.snort.org) that forms the foundation for the Sourcefire 3D System.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: How to use Nipper to create network security reports Mining enterprise SIM logs for relevant security event data Exploring Microsoft's Network Access Protection policy options Screencast: How to use Wikto for Web server assessment How to configure NAP for Windows Server 2008 How to avoid DLP implementation pitfalls Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Network Intrusion Detection (IDS) Product review: AirDefense Enterprise 7.3 What are best practices for creating an IDS and maintaining a signature database? Network intrusion prevention systems: Should enterprises deploy now? RSA 2008: Sourcefire founder Roesch previews Snort 3 What is the best possible IDS deployment for an Enterprise Resource Planning (ERP) system? Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) IBM announcements mark two years of ISS marriage Product review: AirDefense Enterprise 7.3 NitroSecurity covers its bases with RippleTech deal Network intrusion prevention systems: Should enterprises deploy now? If one server in a DMZ network gets attacked from outside, will the other servers be corrupted? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device Network Intrusion Prevention (IPS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.