Published: 01 Apr 2002
One thing everybody can agree on is that infosecurity is hard. Think about it: It's one of the few things that touches every layer of the IT infrastructure-physical, network, application, OS, etc. And that's only the half of it. Securing the other half-the carbon-based units operating all this technology-makes the other stuff look easy.
Vendors have a nasty habit of taking what's hard and making it even harder. Take "intrusion prevention," the latest buzz phrase for a bevy of recently released host security tools. The phrase first cropped up about two years ago when a company named Click-Net launched a product called Entercept (the company subsequently renamed itself after the software). Entercept took a then-unique approach to host security by essentially wrapping the OS kernel with an agent that intercepted and evaluated system calls against a database of defined attacks and generic attack behaviors. Depending on the nature of the request, Entercept would permit or terminate the action, thereby "preventing" attacks such as buffer overflows and privilege escalation.
While Entercept was the first to market its product under this moniker, several vendors soon followed suit. Among those marketing intrusion prevention tools today are Symantec, Okena, Cyber-Ark, Hewlett-Packard, Top Layer, Argus Systems, Arm-ored Networks, Harris, Recourse, Sanctum and Network-1. All of these products focus on shielding hosts from attacks. But that's where the similarity ends. Some are basically application firewalls; others are really host-based IDSes. Some hook directly into the kernel; others don't. Some harden the OS by removing functionality. Some protect any application, while others focus specifically on protecting Web apps.
Yes, these products do prevent certain types of attacks from executing on a protected host. In that sense, it's perfectly accurate to describe them as intrusion prevention tools. Moreover, these products perform a valuable service. I like their "value proposition," as a marketing exec would say.
My beef isn't with intrusion prevention solutions, but with the term itself. I mean, when you step back and divorce yourself from the above description, "intrusion prevention" can refer to pretty much every security tool. Firewalls prevent intrusions by filtering packets based on their content or source/destination. AV scanners prevent malicious code from "intruding" into networks and systems, where it can infect protected resources. VPNs encrypt Internet communications, preventing intruders from sniffing traffic or launching man-in-the-middle attacks.
The point is that if "intrusion prevention" can refer to everything, it can't mean anything-that is, it can't mean any one thing. It's a convenient marketing neologism designed to make you think it's the next evolution in IDSes. I wouldn't mind this so much if the products marketed as intrusion prevention tools actually worked in the same way. But they don't.
As a former PR guy, I understand why the vendors have latched onto this term. First of all, "intrusion prevention" sounds sexy. Second, it's impossible to sell a product if it's the only one in existence that does exactly what it does, because nobody will take it seriously. It's far easier to shoehorn your product into an existing category, even if it's an imprecise fit and an undefined category. Third, nobody's going to buy these products if the vendors called them what they are. Imagine a salesman coming to your office hawking a "software tool that wraps the host OS with an agent layer that checks a database for attack patterns and then responds accordingly depending on the attack profile."
Sales guy: "Really, it's quite simple."
You: "Get out of my office."
This isn't the vendors' fault. You'd probably let the guy in your door if he said, instead, "We have an intrusion prevention tool." But calling these products "intrusion prevention" doesn't tell you what he's offering. He's hoping that either (a) you've heard of intrusion prevention and understand that it refers to some amorphous category of host security products; or (b) you haven't heard of it but are duly impressed by the sound of it, as in, "it sounds like the next generation of IDS."
Sorry, but I find this a little annoying. If vendors say, "firewall," you know where you stand. If they say, "antivirus," you've got a known quantity. If they say, "VPN," you're immediately on the same page. But if they say "intrusion prevention," your next response must be another question: "What type?" or "Huh?"
In the end, another layer of confusion is added to the FUD that many security vendors already rely on for sales. These products address a serious security problem, but their overall value is diluted by a meaningless marketing term. Security just got harder. Again.
About the Author: Andy Briney is editor-in-chief of Information Security magazine.