Re: NADS ( was RE: IPS comparison)

[Sanjay Rawat <sanjayr () intoto com>]

Hi All:
Now..after reading mails from so many experts, I am becoming confused over 
one issue. Why people are comparing IDS with IPS or NADS? IDS is most 
generic concept. Be it IPS or NADS, they are essentially IDS. without an 
IDS engine, neither IPS nor NADS going to work. Most generic architecture 
of an IDS consists of one "monitored system", data/audit unit (to collect 
and preprocess data), data analysis unit (the brain of IDS) and one 
response unit (for actions). Based on data/audit unit there are 2 types of 
IDS- 1) Network based (NIDS); 2) Host based (HIDS). Based on Analysis Unit, 
again there are 2 types of IDS- 1) Misuse-based; 2) Anomaly based. => NADS 
= NIDS+Anomaly.
from this description, is it really fair to compare IDS with NADS?? NADS is 
a specific case of IDS.

I remember one mail in this mailing list saying "....IDS is evolving and 
IPS is its new state (so betterment over the old one). I think this is 
correct. If you see, now a days, even firewalls (application level ones) 
are also providing some attack detection.  So, i dont think that IDS is 
dead (Gartner's quote). its being used in many other devices to improve 
performance. Please point out if I am missing something.

 Regards
Sanjay

At 08:41 AM 8/31/2005, Joseph Hamm wrote:
> Hassan,
>
> You make some good points, but I'd like the opportunity to clear up a
> few things about my NADS:
>
> >IMHO comparing pure play behavior detection to IPS is like comparing
> apples and oranges.
>
> I couldn't agree more.  I spoke up because Stefano brought up the topic
> of anomaly detection. One thing that does bother me is how IPS has been
> painted as a "magic bullet" by vendors (and even the press).  IPS works
> great at the perimeter or other "choke points" in the network.  However,
> in speaking with customers, it is too costly to deploy in a scenario
> that can give you adequate network visibility or proper blocking
> capabilities inside your organization.  It should remain a perimeter
> solution, placed in a strategic location to protect key assets (example
> would be a group of critical servers), or perhaps one day merged into
> your network infrastructure (perhaps the future as painted by
> Tippingpoint and 3com).

Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------