IDS mailing list archives
Re: Changes in IDS Companies?
From: Aaron Turner <aturner () pobox com>
Date: Fri, 25 Oct 2002 17:50:06 -0700
On Fri, Oct 25, 2002 at 02:59:43PM -0000, Proxy Administrator wrote:
On Wed, 23 Oct 2002, Aaron Turner wrote:Oh, don't get me wrong... I'm all for defense in depth. And while I agree that HIDS has some technological advantages over network based IDS, it also has serious management and costdisadvantages over them as well. I also think that networkbased >IDS will close the securtiy gap a lot faster than HIDS will the >management gap. Cost will probably stay about the same.Considering the greater potential of a HIDS and the greater advantage of running a HIDS (along with a NIDS), it would not be wise to think that NIDS will close the security gap faster. What about insider attacks, local exploits etc. We see a lot of advisories which say,
My argument is based on my gut-feeling/observation that a lot more effort and money is being put into network IDS/IDP solutions than on the host side. Also because of the hype we all see around network solutions, that tends to be what organizations are asking for. Companies which which to sell product, tend to develop products that are in demand. As more development is put into NIDS/NIPS, more hype is generated and we get a vicious cycle. Maybe this cycle will break, but I haven't seen any real indications it will anytime soon. <snip good example of local exploit: Sun /bin/login>
But Aaron is right when he says management and cost issues remain a disadvantage. But it shouldn't be too difficult for vendors to solve management problems, might be difficult for organizations to accept them!
I'd argue if organizations find it difficult to accept the "solution" the vendor as developed, then the vendor has failed to develop a viable solution to the problem. While, yes, there are on occasion times when customers need to be re-educated about the merits of a solution. However, when it comes to management tools, especially security management tools, the best solutions generally have the least issues for the customer.
Basically, organizations will run network based IDS everywhere and HIDS only on a few critical systems. And I think most IDS companies realize this, which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot of $$$ into that technology and less so their HIDS. (I could be wrong about this one, it's just a gut feeling, I haven't done any studies or anything like that.)They sell the solution saying it will take care of everything. They then can't go around saying that customers would need a HIDS to detect attacks which "cannot" be detected by the NIDS. It would be quite a shame if companies don't give the same amount of importance to developing HIDS technology, considering how difficult things might be for NIDS to detect attacks in the future with increasing use of encryption.
Agreed. Hopefully things will change, and HIDS will start getting the improvements it needs to succeed in the marketplace. Until then, most people are going to go with network solutions and I suspect we'll start seeing in the next 12-18 months a shift from traditional NIDS to NIPS. -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/aturner They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery.
Attachment:
_bin
Description:
Current thread:
- RE: Changes in IDS Companies?, (continued)
- RE: Changes in IDS Companies? Brian Brotschi (Oct 16)
- RE: Changes in IDS Companies? Ralph Los (Oct 17)
- Re: Changes in IDS Companies? Jason Falciola (Oct 17)
- Re: Changes in IDS Companies? Eye Dius (Oct 17)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)
- Re: Changes in IDS Companies? scottw (Oct 18)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- RE: Changes in IDS Companies? tcleary2 (Oct 17)
- FW: Changes in IDS Companies? Avi Chesla (Oct 22)
- Re: Changes in IDS Companies? Proxy Administrator (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? Matt Harris (Oct 28)
- Re: Changes in IDS Companies? Aaron Turner (Oct 28)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)
- Re: Changes in IDS Companies? Matt Harris (Oct 31)
- Re: Changes in IDS Companies? J. Foobar (Oct 31)