IDS mailing list archives
Re: Changes in IDS Companies?
From: Matt Harris <mdh () unix si edu>
Date: Mon, 28 Oct 2002 09:23:04 -0500
There's also the option of using a non-inline style IDS, but having it utilize an in-line device which should, theoretically, already be present on your network border to handle blocking of traffic (such as router ACL's, which is what Cisco's IDS does by default, or adding and managing temporary firewall rules, etc). This seems to work well, and since the actual IDS work is done on a different host than the network traffic passing, the actual performance hit is very limited in that you won't see more of a hit than you will if you were using ACL's or firewall rules anyways, which most security-concious folk are. "A.S.Rajendran" wrote:
There is no single solution for network security.One should use a combination of all to effectively secure the network. Both NIDS and Inline IPS method has their particular strengths and weaknesses. Inline IPS has the ability to block the suspicious traffic. But it has performance penalties. NIDS cannot effectively block the traffic. But it will not degrade the network performance. We should use the positive points of both. Inline IPS method should be used to block traffic with protocol anomaly and to block some suspicious packet temporary by using signatures until some patch is available to the vulnerable services. NIDS can be used to monitor all the traffic and generate a log message for all suspicious packets. HIDS can be used for detecting repeated failed access attempts or changes to critical system files. A.S.Rajendran, Project Leader, Intoto Software (I) pvt Ltd, Secunderabad, India. email: asraj () intotoinc com. web: www.intotoinc.comAnd there always will be such attacks, furthermore. Conversely, HIDS has a much easier time seeing a sudden change to a file that is not supposed to change, and thus the argument for layers.Oh, don't get me wrong... I'm all for defense in depth. And while I agree that HIDS has some technological advantages over network based IDS, it also has serious management and cost disadvantages over them as well. I also think that network based IDS will close the securtiy gap a lot faster than HIDS will the management gap. Cost will probably stay about the same. Basically, organizations will run network based IDS everywhere and HIDS only on a few critical systems. And I think most IDS companies realize this, which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot of $$$ into that technology and less so their HIDS. (I could be wrong about this one, it's just a gut feeling, I haven't done any studies or anything like that.)
-- /* * * Matt Harris - Senior UNIX Systems Engineer * Smithsonian Institution, OCIO * */
Current thread:
- Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? Eye Dius (Oct 17)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)
- Re: Changes in IDS Companies? scottw (Oct 18)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- RE: Changes in IDS Companies? tcleary2 (Oct 17)
- FW: Changes in IDS Companies? Avi Chesla (Oct 22)
- Re: Changes in IDS Companies? Proxy Administrator (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? Matt Harris (Oct 28)
- Re: Changes in IDS Companies? Aaron Turner (Oct 28)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)
- Re: Changes in IDS Companies? Matt Harris (Oct 31)
- Re: Changes in IDS Companies? J. Foobar (Oct 31)
- Re: Changes in IDS Companies? Eye Dius (Oct 17)
- Re: Changes in IDS Companies? Martin Roesch (Oct 31)