IDS mailing list archives
Re: Changes in IDS Companies?
From: "Proxy Administrator" <proxyadmin () rediffmail com>
Date: 25 Oct 2002 14:59:43 -0000
On Wed, 23 Oct 2002, Aaron Turner wrote:
Oh, don't get me wrong... I'm all for defense in depth. And while I agree that HIDS has some technological advantages overnetwork based IDS, it also has serious management and cost >disadvantages over them as well. I also think that network based >IDS will close the securtiy gap a lot faster than HIDS will the >management gap. Cost will probably stay about the same.
Considering the greater potential of a HIDS and the greater advantage of running a HIDS (along with a NIDS), it would not be wise to think that NIDS will close the security gap faster. What about insider attacks, local exploits etc. We see a lot of advisories which say,
Remote: yes Local: noFor eg, Sun Solaris /bin/login Authentication Bypass Vulnerability. This is not true for this and for so many others, yet advisories are released this way. (Maybe we need to reconsider how advisories are written too)
Now, anyone whose signatures have been updated but systems haven't, will be able to detect remote attempts to exploit this, but what about local attempts? They will go undetected. NIDS cannot do it's magic here. So, one system gets trojanned, many others get exploited.
But Aaron is right when he says management and cost issues remain a disadvantage. But it shouldn't be too difficult for vendors to solve management problems, might be difficult for organizations to accept them!
Basically, organizations will run network based IDS everywhere and HIDS only on a few critical systems. And I think most IDS companies realize this, which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot of $$$ into that technology and less so their HIDS. (I could be wrong aboutthis one, it's just a gut feeling, I haven't done any studies oranything like that.)
They sell the solution saying it will take care of everything. They then can't go around saying that customers would need a HIDS to detect attacks which "cannot" be detected by the NIDS. It would be quite a shame if companies don't give the same amount of importance to developing HIDS technology, considering how difficult things might be for NIDS to detect attacks in the future with increasing use of encryption.
Regards, Proxy Administrator
Current thread:
- Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- RE: Changes in IDS Companies? Brian Brotschi (Oct 16)
- RE: Changes in IDS Companies? Ralph Los (Oct 17)
- Re: Changes in IDS Companies? Jason Falciola (Oct 17)
- Re: Changes in IDS Companies? Eye Dius (Oct 17)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)
- Re: Changes in IDS Companies? scottw (Oct 18)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- RE: Changes in IDS Companies? tcleary2 (Oct 17)
- FW: Changes in IDS Companies? Avi Chesla (Oct 22)
- Re: Changes in IDS Companies? Proxy Administrator (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? Matt Harris (Oct 28)
- Re: Changes in IDS Companies? Aaron Turner (Oct 28)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)
- Re: Changes in IDS Companies? Matt Harris (Oct 31)
- Re: Changes in IDS Companies? J. Foobar (Oct 31)