RE: eEye Blink and other Endpoint IPS solutions.

["Alex Arndt" <aarndt () rogers com>]

Comments in-line below...

> -----Original Message-----
> From: mashraf () hushmail com [mailto:mashraf () hushmail com]
> Sent: June 27, 2005 7:05 AM
> To: focus-ids () securityfocus com
> Subject: eEye Blink and other Endpoint IPS solutions. 
<PGP Info removed>
> Hi,
>
> Is there anyone out there using Host Based Intrusion Detection
> systems like eEye's Blink that would care to comment on their
> performance? What I'd like to know is what kind of impact they have
> on system performance and how their effectiveness compares to NIPS.
> They seem to be far cheaper for small to medium size businesses and
> would seem to avoid the question of whether the IPS can handle
> network traffic greater than 1Gbs. Or am I trying to compare apples
> and oranges?
I don't think you're comparing apples and oranges so much as,
perhaps, two sides of the same coin. I've personally had very
limited experience with either NIPS or HIPS (I'm still stuck
in the NIDS/HIDS world), but I think the two of them need to be
deployed within the same environment to create a layered defence.
Of course, this (and everything below) is just my two cents.

As for (at least, academically) comparing the two technologies,
it is my understanding that NIPS excel at rate-based detection,
while HIPS are great at stack-based detection (please forgive
the over-simplification). In other words, if you're worried
about DDoS attacks, you need NIPS. However, if you're worried
about mitigating buffer overflows against your web server,
you'll be better served by HIPS.

Vendors will tell you that their NIPS or HIPS product will
protect you from both of these, but it seems logical that
network-based attacks (like DDoS) should be detected on the
network, while attacks against applications or services on
a host should be detected at the host itself. If the two
technologies overlap, even better. This reduces the chances
that something is going to get through and clobber you.

In the end, it is very difficult to detect attacks against
applications and services (buffer overflow attacks, DLL
insertion attacks, etc.) at the network level. You just
can't account for all possible applications (and their
associated vulnerabilities) on all possible operating
systems (again, with their own associated vulnerabilities).
An attack against MS Word running on an Apple computer
just won't work the same as the same attack against MS
Word running on a x86 PC. How is remote possible to account
for all the possible variances and combinations of the two
factors using a NIPS? That is why HIPS is invaluable, even
if NIPS is protecting the gateway to the network on which
your host resides. It will detect an attack against your
host in a proper context for that host, given the apps
and OS installed (theoretically, anyway). If you rely
solely on NIPS to protect you against so-called "content
attacks", you'll likely just end up DoS'ing yourself
due to false-positives.

Conversely, how effective can a HIPS be (on its own) at
detecting a DDoS attack? It cannot effectively attempt
to track various parameters (TCP streams, UDP flows,
etc.) without chewing up valuable resources (memory and
CPU cycles, for example) that may impact the usability
of the host that the HIPS is running on. You might try
correlating detects from various HIPS in the same
environment, but now you have additional overhead, both
in terms of the data passage to the HIPS monitoring
solution and the additional processing cost. Since this
information is already on the wire (so to speak), you
now have a use case for NIPS too.

One final observation. You're bang-on (again, IMHO) when
you say that HIPS takes care of two considerations, which
are cost and overcoming the throughput problem. In small
to medium organisations where cost drives most issues,
it's a tough sell to invest in costly NIPS. This is
especially true if bandwidth is not a key consideration
in your decision-making process. Unfortunately, in those
situations where the available bandwidth (gigabit or
otherwise) does matter, you cannot protect yourself from
attacks against bandwidth without the use of NIPS.

> Thanks,
> Mina

I hope my comments add something to this discussion, even
if it's not with "testimonial" statements about specific
solutions.

Alex Arndt
CISSP, GCIA, GCIH

"Within all order is the potential for chaos..." 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------