IDS mailing list archives
Re: NADS ( was RE: IPS comparison)
From: Sanjay Rawat <sanjayr () intoto com>
Date: Thu, 01 Sep 2005 09:52:07 +0530
Hi All:Now..after reading mails from so many experts, I am becoming confused over one issue. Why people are comparing IDS with IPS or NADS? IDS is most generic concept. Be it IPS or NADS, they are essentially IDS. without an IDS engine, neither IPS nor NADS going to work. Most generic architecture of an IDS consists of one "monitored system", data/audit unit (to collect and preprocess data), data analysis unit (the brain of IDS) and one response unit (for actions). Based on data/audit unit there are 2 types of IDS- 1) Network based (NIDS); 2) Host based (HIDS). Based on Analysis Unit, again there are 2 types of IDS- 1) Misuse-based; 2) Anomaly based. => NADS = NIDS+Anomaly. from this description, is it really fair to compare IDS with NADS?? NADS is a specific case of IDS.
I remember one mail in this mailing list saying "....IDS is evolving and IPS is its new state (so betterment over the old one). I think this is correct. If you see, now a days, even firewalls (application level ones) are also providing some attack detection. So, i dont think that IDS is dead (Gartner's quote). its being used in many other devices to improve performance. Please point out if I am missing something.
Regards Sanjay At 08:41 AM 8/31/2005, Joseph Hamm wrote:
Hassan, You make some good points, but I'd like the opportunity to clear up a few things about my NADS: >IMHO comparing pure play behavior detection to IPS is like comparing apples and oranges. I couldn't agree more. I spoke up because Stefano brought up the topic of anomaly detection. One thing that does bother me is how IPS has been painted as a "magic bullet" by vendors (and even the press). IPS works great at the perimeter or other "choke points" in the network. However, in speaking with customers, it is too costly to deploy in a scenario that can give you adequate network visibility or proper blocking capabilities inside your organization. It should remain a perimeter solution, placed in a strategic location to protect key assets (example would be a group of critical servers), or perhaps one day merged into your network infrastructure (perhaps the future as painted by Tippingpoint and 3com).
Sanjay Rawat Senior Software Engineer INTOTO Software (India) Private Limited Uma Plaza, Above HSBC Bank, Nagarjuna Hills PunjaGutta,Hyderabad 500082 | India Office: + 91 40 23358927/28 Extn 422 Website : www.intoto.com Homepage: http://sanjay-rawat.tripod.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: NADS ( was RE: IPS comparison) Sanjay Rawat (Sep 01)
- <Possible follow-ups>
- RE: NADS ( was RE: IPS comparison) Joseph Hamm (Sep 02)
- Re: NADS ( was RE: IPS comparison) Iván Arce (Sep 02)