Re: Changes in IDS Companies?

From: Proxy Administrator (proxyadmin@rediffmail.com)
Date: 10/25/02 

Date: 25 Oct 2002 14:59:43 -0000
From: "Proxy Administrator" <proxyadmin@rediffmail.com>
To: "Aaron Turner" <aturner@pobox.com>

On Wed, 23 Oct 2002, Aaron Turner wrote:

>Oh, don't get me wrong... I'm all for defense in depth. And
>while I agree that HIDS has some technological advantages over
>network based IDS, it also has serious management and cost
> >disadvantages over them as well. I also think that network
>based >IDS will close the securtiy gap a lot faster than HIDS
>will the >management gap. Cost will probably stay about the
>same.

Considering the greater potential of a HIDS and the greater
advantage of running a HIDS (along with a NIDS), it would not be
wise to think that NIDS will close the security gap faster. What
about insider attacks, local exploits etc. We see a lot of
advisories which say,

Remote: yes
Local: no

For eg, Sun Solaris /bin/login Authentication Bypass
Vulnerability. This is not true for this and for so many others,
yet advisories are released this way. (Maybe we need to reconsider
how advisories are written too)

Now, anyone whose signatures have been updated but systems
haven't, will be able to detect remote attempts to exploit this,
but what about local attempts? They will go undetected. NIDS
cannot do it's magic here. So, one system gets trojanned, many
others get exploited.

But Aaron is right when he says management and cost issues remain
a disadvantage. But it shouldn't be too difficult for vendors to
solve management problems, might be difficult for organizations to
accept them!

>Basically, organizations will run network based IDS everywhere
>and HIDS only on a few critical systems. And I think most IDS
>companies realize this, which is why everyone hypes their
>NIDS/NIPS and seems to be putting in a lot of $$$ into that
>technology and less so their HIDS. (I could be wrong about
>this one, it's just a gut feeling, I haven't done any studies
>or
>anything like that.)

They sell the solution saying it will take care of everything.
They then can't go around saying that customers would need a HIDS
to detect attacks which "cannot" be detected by the NIDS. It would
be quite a shame if companies don't give the same amount of
importance to developing HIDS technology, considering how
difficult things might be for NIDS to detect attacks in the future
with increasing use of encryption.

Regards,

Proxy Administrator

Relevant Pages

  • Re: host-based ids evaluation
    ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ...
    (Focus-IDS)
  • RE: host-based ids evaluation
    ... If you are looking at a single system then you are a HIDS, ... You can now get into deeper distinctions regarding types of IDS techniques ... but HIDS vs. NIDS is as simple as the focus for the product. ... HIDS can detect local-to-local attacks (or ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... Personally, I think in most case HIDS is more of "reactive", and NIDS is ... While NIDS will/can gather all the information on the network. ... > a Host IDS looks within the host for evidence of intrusion. ...
    (Focus-IDS)
  • R: host-based ids evaluation
    ... in industry not exist a clear definition of HIDS. ... its pros and cons against an NIDS. ... watching for remote-to-local attacks. ... HIDS behaviour is named NNIDS. ...
    (Focus-IDS)