Re: Changes in IDS Companies?

["A.S.Rajendran" <asraj () intotoinc com>]

There is no single solution for network security.One should use a 
combination of all to effectively secure the network.
Both NIDS and Inline IPS method has their particular strengths and weaknesses.
Inline IPS has the ability to block the suspicious traffic. But it has 
performance penalties. NIDS cannot effectively block the traffic. But it 
will not degrade the network performance. We should use the positive points 
of both.
 Inline IPS method should be used to block traffic with protocol anomaly 
and to block some suspicious packet temporary by using signatures until 
some patch is available to the vulnerable services. NIDS can be used to 
monitor all the traffic and generate a log message for all suspicious 
packets. HIDS can be used for detecting repeated failed access attempts or 
changes to critical system files.
A.S.Rajendran,
Project Leader,
Intoto Software (I) pvt Ltd,
Secunderabad, India.
email: asraj () intotoinc com.
web: www.intotoinc.com

> > And there
> > always will be such attacks, furthermore.  Conversely, HIDS has a much
> > easier time seeing a sudden change to a file that is not supposed to
> > change, and thus the argument for layers.
>
> Oh, don't get me wrong... I'm all for defense in depth.  And while I agree
> that HIDS has some technological advantages over network based IDS, it also
> has serious management and cost disadvantages over them as well.  I also
> think that network based IDS will close the securtiy gap a lot faster
> than HIDS will the management gap.  Cost will probably stay about the same.
>
> Basically, organizations will run network based IDS everywhere and HIDS only
> on a few critical systems.  And I think most IDS companies realize this,
> which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot
> of $$$ into that technology and less so their HIDS.  (I could be wrong about
> this one, it's just a gut feeling, I haven't done any studies or anything
> like that.)