IDS mailing list archives
RE: eEye Blink and other Endpoint IPS solutions.
From: "Alex Arndt" <aarndt () rogers com>
Date: Tue, 28 Jun 2005 21:51:08 -0400
Comments in-line below...
-----Original Message----- From: mashraf () hushmail com [mailto:mashraf () hushmail com] Sent: June 27, 2005 7:05 AM To: focus-ids () securityfocus com Subject: eEye Blink and other Endpoint IPS solutions.
<PGP Info removed>
Hi, Is there anyone out there using Host Based Intrusion Detection systems like eEye's Blink that would care to comment on their performance? What I'd like to know is what kind of impact they have on system performance and how their effectiveness compares to NIPS. They seem to be far cheaper for small to medium size businesses and would seem to avoid the question of whether the IPS can handle network traffic greater than 1Gbs. Or am I trying to compare apples and oranges?
I don't think you're comparing apples and oranges so much as, perhaps, two sides of the same coin. I've personally had very limited experience with either NIPS or HIPS (I'm still stuck in the NIDS/HIDS world), but I think the two of them need to be deployed within the same environment to create a layered defence. Of course, this (and everything below) is just my two cents. As for (at least, academically) comparing the two technologies, it is my understanding that NIPS excel at rate-based detection, while HIPS are great at stack-based detection (please forgive the over-simplification). In other words, if you're worried about DDoS attacks, you need NIPS. However, if you're worried about mitigating buffer overflows against your web server, you'll be better served by HIPS. Vendors will tell you that their NIPS or HIPS product will protect you from both of these, but it seems logical that network-based attacks (like DDoS) should be detected on the network, while attacks against applications or services on a host should be detected at the host itself. If the two technologies overlap, even better. This reduces the chances that something is going to get through and clobber you. In the end, it is very difficult to detect attacks against applications and services (buffer overflow attacks, DLL insertion attacks, etc.) at the network level. You just can't account for all possible applications (and their associated vulnerabilities) on all possible operating systems (again, with their own associated vulnerabilities). An attack against MS Word running on an Apple computer just won't work the same as the same attack against MS Word running on a x86 PC. How is remote possible to account for all the possible variances and combinations of the two factors using a NIPS? That is why HIPS is invaluable, even if NIPS is protecting the gateway to the network on which your host resides. It will detect an attack against your host in a proper context for that host, given the apps and OS installed (theoretically, anyway). If you rely solely on NIPS to protect you against so-called "content attacks", you'll likely just end up DoS'ing yourself due to false-positives. Conversely, how effective can a HIPS be (on its own) at detecting a DDoS attack? It cannot effectively attempt to track various parameters (TCP streams, UDP flows, etc.) without chewing up valuable resources (memory and CPU cycles, for example) that may impact the usability of the host that the HIPS is running on. You might try correlating detects from various HIPS in the same environment, but now you have additional overhead, both in terms of the data passage to the HIPS monitoring solution and the additional processing cost. Since this information is already on the wire (so to speak), you now have a use case for NIPS too. One final observation. You're bang-on (again, IMHO) when you say that HIPS takes care of two considerations, which are cost and overcoming the throughput problem. In small to medium organisations where cost drives most issues, it's a tough sell to invest in costly NIPS. This is especially true if bandwidth is not a key consideration in your decision-making process. Unfortunately, in those situations where the available bandwidth (gigabit or otherwise) does matter, you cannot protect yourself from attacks against bandwidth without the use of NIPS.
Thanks, Mina
I hope my comments add something to this discussion, even if it's not with "testimonial" statements about specific solutions. Alex Arndt CISSP, GCIA, GCIH "Within all order is the potential for chaos..." -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- eEye Blink and other Endpoint IPS solutions. mashraf (Jun 27)
- RE: eEye Blink and other Endpoint IPS solutions. Alex Arndt (Jun 28)
- <Possible follow-ups>
- Re: eEye Blink and other Endpoint IPS solutions. Mark Teicher (Jun 28)
- RE: eEye Blink and other Endpoint IPS solutions. Billy Dodson (Jun 28)
- RE: eEye Blink and other Endpoint IPS solutions. mashraf (Jun 30)
- RE: eEye Blink and other Endpoint IPS solutions. Andrew Plato (Jun 30)
- RE: eEye Blink and other Endpoint IPS solutions. Palmer, Paul (ISSAtlanta) (Jun 30)