IDS mailing list archives

Re: Changes in IDS Companies?

From: Aaron Turner <aturner () pobox com>
Date: Fri, 25 Oct 2002 17:29:13 -0700

On Fri, Oct 25, 2002 at 02:35:58PM +0530, A.S.Rajendran wrote:

<snip>

Inline IPS has the ability to block the suspicious traffic. But it has 
performance penalties. NIDS cannot effectively block the traffic. But it 
will not degrade the network performance. We should use the positive points 
of both.
 Inline IPS method should be used to block traffic with protocol anomaly 
and to block some suspicious packet temporary by using signatures until 
some patch is available to the vulnerable services. NIDS can be used to 
monitor all the traffic and generate a log message for all suspicious 
packets. HIDS can be used for detecting repeated failed access attempts or 
changes to critical system files.


See, that's something I don't get... If the inline IPS (NIPS) device has 
to process all the traffic in order to determine what to block, why 
have a NIDS which just has to re-process the same traffic all over again?
Generating log messages is a tiny fraction of the CPU required to actually 
process the packets, there just doesn't seem in my mind at least any 
justification to owning both NIPS and NIDS.

I can understand not trusting a NIPS enough to deploy it (for reliability,
performance, or accuracy reasons), but if you do deploy it, there doesn't
seem to be a need for a traditional NIDS... well unless the NIPS you choose
just plain sucks at finding attacks, in which case, why did you buy the NIPS
in the first place?

Defense in depth doesn't mean deploying EVERYTHING the market has to offer,
it means properly choosing a solution (not to mean a single product or
vendor) which provides the security which best defends against your 
threat model.

-- 
Aaron Turner <aturner at pobox.com|synfin.net>    http://synfin.net/aturner
They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety. -- Benjamin Franklin

pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749  9A8F 8707 9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature indicates a forgery.

Attachment: _bin
Description:

Current thread:

Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? Jason Falciola (Oct 17)
- Re: Changes in IDS Companies? Eye Dius (Oct 17)
  - Re: Changes in IDS Companies? Clint Byrum (Oct 17)
    - Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)
    - Re: Changes in IDS Companies? scottw (Oct 18)
- RE: Changes in IDS Companies? tcleary2 (Oct 17)
- FW: Changes in IDS Companies? Avi Chesla (Oct 22)
- Re: Changes in IDS Companies? Proxy Administrator (Oct 25)
  - Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
  - Re: Changes in IDS Companies? Aaron Turner (Oct 25)
  - Re: Changes in IDS Companies? Matt Harris (Oct 28)
    - Re: Changes in IDS Companies? Aaron Turner (Oct 28)
    - Re: Changes in IDS Companies? Matt Harris (Oct 29)
    - Re: Changes in IDS Companies? Aaron Turner (Oct 29)
    - Re: Changes in IDS Companies? Matt Harris (Oct 31)
    - Re: Changes in IDS Companies? J. Foobar (Oct 31)
- Re: Changes in IDS Companies? Marcus J. Ranum (Oct 26)
- RE: Changes in IDS Companies? Dante Mercurio (Oct 28)
- Re: Changes in IDS Companies? Kevin Jones (Oct 29)
  - Re: Changes in IDS Companies? Martin Roesch (Oct 31)

(Thread continues...)