Re: Host IPS -vs- Network IPS? Do we need both?

[krymson () gmail com]

I'm not surprised at all that vendors may offer one or the other; HIPS and NIPS are two very different products.

Do you *need* both? That depends. *Should* you have a network detection system *and* something on your hosts to act as 
detection/prevention? Almost certainly. But like you concede with the maintenance issue, few businesses seem to 
properly appreciate the attention these systems will always need. If you don't have the culture or people to monitor 
them and keep them tuned and keep them from impeding the users, they may just be a waste of money.

Do HIPS and NIPS overlap? Yes they do, when it comes to things passing on the wire. But once inside the NIC, that's 
where HIPS continues to work. And that is only assuming all your hosts stay on your network (laptops abroad?).

In the end, however, they are very different products serving the security needs of very different people, teams 
(network vs desktop), and systems. I don't think you'd ever get away with justifying lack of HIPS because you have 
NIPS. However, you probably can justify lack of HIPS if you have good antivirus and host-based firewalls in place.

Keep in mind that natural cycle of marketing; yesterday's antivirus, antimalware, antispyware, host-based firewall is 
being rebranded into host-based IPS/IDS these days. 



<- snip ->
Some IPS vendors do not offer a Host IPS solution

Is there really a need for Host IPS if you already have Network IPS covering
the same network area? What about if you already have other solutions on the
host (ie. file integrity)?

The overhead associated with Host IPS is very high (manage agent installs,
kernel module conflicts, etc). Just curious if Host IDS is worth it if
the same coverage is provided with a Network IDS.