Re: Changes in IDS Companies?

From: Aaron Turner (
Date: 10/26/02

Date: Fri, 25 Oct 2002 17:50:06 -0700
From: Aaron Turner <>

On Fri, Oct 25, 2002 at 02:59:43PM -0000, Proxy Administrator wrote:
> On Wed, 23 Oct 2002, Aaron Turner wrote:
> >Oh, don't get me wrong... I'm all for defense in depth. And
> >while I agree that HIDS has some technological advantages over
> >network based IDS, it also has serious management and cost
> >>disadvantages over them as well. I also think that network
> >based >IDS will close the securtiy gap a lot faster than HIDS
> >will the >management gap. Cost will probably stay about the
> >same.
> Considering the greater potential of a HIDS and the greater
> advantage of running a HIDS (along with a NIDS), it would not be
> wise to think that NIDS will close the security gap faster. What
> about insider attacks, local exploits etc. We see a lot of
> advisories which say,

My argument is based on my gut-feeling/observation that a lot more
effort and money is being put into network IDS/IDP solutions than
on the host side. Also because of the hype we all see around network
solutions, that tends to be what organizations are asking for. Companies
which which to sell product, tend to develop products that are in demand.
As more development is put into NIDS/NIPS, more hype is generated and we
get a vicious cycle. Maybe this cycle will break, but I haven't seen
any real indications it will anytime soon.

<snip good example of local exploit: Sun /bin/login>

> But Aaron is right when he says management and cost issues remain
> a disadvantage. But it shouldn't be too difficult for vendors to
> solve management problems, might be difficult for organizations to
> accept them!

I'd argue if organizations find it difficult to accept the "solution"
the vendor as developed, then the vendor has failed to develop a
viable solution to the problem.

While, yes, there are on occasion times when customers need to be re-educated
about the merits of a solution. However, when it comes to management tools,
especially security management tools, the best solutions generally have the
least issues for the customer.
> >Basically, organizations will run network based IDS everywhere
> >and HIDS only on a few critical systems. And I think most IDS
> >companies realize this, which is why everyone hypes their
> >NIDS/NIPS and seems to be putting in a lot of $$$ into that
> >technology and less so their HIDS. (I could be wrong about
> >this one, it's just a gut feeling, I haven't done any studies
> >or
> >anything like that.)
> They sell the solution saying it will take care of everything.
> They then can't go around saying that customers would need a HIDS
> to detect attacks which "cannot" be detected by the NIDS. It would
> be quite a shame if companies don't give the same amount of
> importance to developing HIDS technology, considering how
> difficult things might be for NIDS to detect attacks in the future
> with increasing use of encryption.

Agreed. Hopefully things will change, and HIDS will start getting the
improvements it needs to succeed in the marketplace. Until then,
most people are going to go with network solutions and I suspect we'll
start seeing in the next 12-18 months a shift from traditional NIDS to NIPS.

Aaron Turner <aturner at|>
They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety. -- Benjamin Franklin

pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery.

Relevant Pages

  • Re: host-based ids evaluation
    ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ...
  • Re: host-based ids evaluation
    ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ...
  • Re: host-based ids evaluation
    ... Personally, I think in most case HIDS is more of "reactive", and NIDS is ... While NIDS will/can gather all the information on the network. ... > a Host IDS looks within the host for evidence of intrusion. ...
  • Re: Changes in IDS Companies?
    ... combination of all to effectively secure the network. ... Both NIDS and Inline IPS method has their particular strengths and weaknesses. ... Conversely, HIDS has a much ...
  • Re: Changes in IDS Companies?
    ... it also has serious management and cost ... >based>IDS will close the securtiy gap a lot faster than HIDS ... wise to think that NIDS will close the security gap faster. ...