Re: Changes in IDS Companies?

From: Matt Harris (mdh@unix.si.edu)
Date: 10/28/02 

Date: Mon, 28 Oct 2002 09:23:04 -0500
From: Matt Harris <mdh@unix.si.edu>
To: "A.S.Rajendran" <asraj@intotoinc.com>

There's also the option of using a non-inline style IDS, but having it
utilize an in-line device which should, theoretically, already be
present on your network border to handle blocking of traffic (such as
router ACL's, which is what Cisco's IDS does by default, or adding and
managing temporary firewall rules, etc). This seems to work well, and
since the actual IDS work is done on a different host than the network
traffic passing, the actual performance hit is very limited in that you
won't see more of a hit than you will if you were using ACL's or
firewall rules anyways, which most security-concious folk are.

"A.S.Rajendran" wrote:
>
> There is no single solution for network security.One should use a
> combination of all to effectively secure the network.
> Both NIDS and Inline IPS method has their particular strengths and weaknesses.
> Inline IPS has the ability to block the suspicious traffic. But it has
> performance penalties. NIDS cannot effectively block the traffic. But it
> will not degrade the network performance. We should use the positive points
> of both.
> Inline IPS method should be used to block traffic with protocol anomaly
> and to block some suspicious packet temporary by using signatures until
> some patch is available to the vulnerable services. NIDS can be used to
> monitor all the traffic and generate a log message for all suspicious
> packets. HIDS can be used for detecting repeated failed access attempts or
> changes to critical system files.
> A.S.Rajendran,
> Project Leader,
> Intoto Software (I) pvt Ltd,
> Secunderabad, India.
> email: asraj@intotoinc.com.
> web: www.intotoinc.com
>
> > > And there
> > > always will be such attacks, furthermore. Conversely, HIDS has a much
> > > easier time seeing a sudden change to a file that is not supposed to
> > > change, and thus the argument for layers.
> >
> >Oh, don't get me wrong... I'm all for defense in depth. And while I agree
> >that HIDS has some technological advantages over network based IDS, it also
> >has serious management and cost disadvantages over them as well. I also
> >think that network based IDS will close the securtiy gap a lot faster
> >than HIDS will the management gap. Cost will probably stay about the same.
> >
> >Basically, organizations will run network based IDS everywhere and HIDS only
> >on a few critical systems. And I think most IDS companies realize this,
> >which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot
> >of $$$ into that technology and less so their HIDS. (I could be wrong about
> >this one, it's just a gut feeling, I haven't done any studies or anything
> >like that.) 

-- 
/*
 *
 * Matt Harris - Senior UNIX Systems Engineer
 * Smithsonian Institution, OCIO
 *
 */

Quantcast