Intrusion Detection Systems mailing list archives

RE: Re : Market Segmentation of IDS

From: "Bill Royds" <broyds () home com>
Date: Wed, 20 Sep 2000 00:15:04 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing that I see converging is that of Network IDS (sniffers) and
host based (watching host processes). In these days of switched local
area networks, the ability of a separate network based monitor to
properly sort out the traffic is very limited. Of course you can span
ports etc, but it gets harder and harder to analyse the actual data
stream hitting a host.
  The result of this is to put packet sniffers on each host to detect
network input and then send the data to a monitoring station to
amalgamate it into stream for analysis tools. Since you are already
on the host, you can also add information from the system logs,
reflecting results of system processes as well as inputs. 
  This approach has the added benefit of distributing the capture
load as well. The disadvantage is the CPU cycles lost on each host
machine. This kind of distributed IDS seems to be the approach of
Network ICE and perhaps is better seen as another market segment.
  Perhaps the future will see NIC's built with part of the TCP/IP
stack in hardware (packet re-assembly and buffering for instance) and
with packet sniffing as a hardware option, offloading the CPU load. 
The problem of viewing the packets the way the host OS views them
would still be there but much less of a problem. Packet drop wouldn't
be a problem because dropped packets by the host stack are ignored
anyway.
  

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOcg0O47q8uCnCHOcEQJaKQCg/Qw6SWFMU0aRhUcoo0pDXR2LKz8AoKgf
kAOITOlMC1iKXOgY13J8Iaw0
=mFbo
-----END PGP SIGNATURE-----

Current thread:

Re : Market Segmentation of IDS Mark Renfer (Sep 19)
- Re: Re : Market Segmentation of IDS mark . teicher (Sep 19)
- Re: Re : Market Segmentation of IDS Jensenne Roculan (Sep 19)
  - Re: Re : Market Segmentation of IDS mark . teicher (Sep 20)
    - RE: Re : Market Segmentation of IDS Bill Royds (Sep 20)
- Re: Re : Market Segmentation of IDS Ron Gula (Sep 20)
  - Re: Re : Market Segmentation of IDS mark . teicher (Sep 20)
    - Re: Re : Market Segmentation of IDS Martin Roesch (Sep 20)
    - Net Facade 1.2 mark . teicher (Sep 19)
    - Net Facade 1.2 Re: Re : Market Segmentation of IDS mark . teicher (Sep 20)
- <Possible follow-ups>
- RE: Re : Market Segmentation of IDS Kohlenberg, Toby (Sep 20)