Chapter 2. Signatures and Actions

Previous page
Table of content
Next page

Before you decide to buy a product of any kind, you usually want to know exactly what it is you're buying. That way, you don't get something you don't want. This seems like a reasonable goal, but achieving this goal isn't always easy. What's challenging is the vocabulary used to describe what the product does and how it works. Two different products might have a feature with the same name, but the feature in each product might actually be completely unrelated. Without an industry agreed-upon set of definitions, product marketing can use terminology to make each product appealing to customers, even if this usage makes it difficult for customers to compare the functionality between different IPS products.

Take the purchase of a new vehicle, for example. Three different automobiles claim to have drive stabilization systems. That sounds great, but does the system work in the same way for each car? Is one more suitable for your needs than the other? How is the system implemented? Close examination might show how the system in one car reduces vibration when driving over bumpy roads whereas in another car it helps control the vehicle's balance during sharp turns. The name for the feature is exactly the same, but what it actually does is very different.

Seeing through the fog of feature names and marketing buzzwords is especially difficult when the product of interest is in a new technology, such as Intrusion Prevention. Intrusion Prevention System (IPS) product data sheets and websites tend to use vague product descriptors like deep packet inspection, anomaly detection, innate defense models, signatures, and behavior-based and advanced network intelligence. The descriptors might be accurate, but the functionality behind the words is often not consistent from product to product.

The way to see through the words and discern the product functionality is to create clear definitions for commonly used feature names. One feature commonly associated with IPS is signatures. Attack signatures have been around for long enough that the definition should be universally understood, but that's not the case. Simply put, an IPS signature is any distinctive characteristic that identifies something. Using this definition, all IPS products use signatures of some kind, regardless of what the product descriptions claim. To find something and stop it, you must be able to identify it, and for you to identify it, it must display a distinct characteristic. Signatures are distinguished by the following characteristics:

  • Signature types

  • Signature trigger

  • Signature actions



Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Snort Cookbook
Network Security Architectures
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
File System Forensic Analysis
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy