Re: Hybrid IDS

["Marcus J. Ranum" <mjr () nfr net>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Talisker wrote:
> Of late there has been a spate of vendors climbing aboard the hybrid IDS
> bandwagon.  As I understand it a hybrid IDS combines a host IDS with a non
> promiscuous network IDS on a single host, ideally suited to switched or
> hi-speed networks.

Not to spur a language debate, but:

The term "hybrid" is usually used as a description for things
that are a cross between two other things; simply describing
something as a "hybrid" is meaningless unless you say what
it is a hybrid _of_. I.e.: a mule is a hybrid of donkey / horse,
my motorcycle is a hybrid chopper / drag bike, etc.

So, it sounds like the vendors are talking about hybrid
host / network IDS that latch the bottom of the host's
IP stack and avoid promiscuous capture - a sort of
"non-promiscuous network layer host-based IDS" (that might be a
useful term for it).

> One vendor who has a console that accepts traffic from host IDS and
> enterprise network IDS has promoted their product as a hybrid IDS.

That's a hybrid also! :) I'd call that something like an
"cooperating host / network IDS"  but, yes, terminology is
squishy.

>   Another
> with a personal firewall has promoted their product as a hybrid IDS.

Yes, that's one of the network layer host based IDS. Many such
products "reach" up the stack into application space as well
as just the network layer. So they're definitely a mix of the
two techniques. (But, other than the fact that they do a bit of
both, they embody no new rocket science)

One place where the personall firewall / IDS hybrids present an
interesting challenge to clarity is in performance marketing.
Since they're operating at a packet level (sort of) an unscrupulous
vendor (hi! you know who you are!) could claim their performance
figures in terms of packets processed/second. So the vendor could
say "in recent tests, our network IDS handled 10,000,000,000
packets/second!!" without mentioning clearly that this was
accomplished using a single host on a switch, but the host was
only looking for attacks directed at itself... Such claims have
already been made - clearly deceptive, but there you have it.

> Is there a clear cut definition out there somewhere?

You're asking if marketing respects technical language? <giggle>
I wish...  :(  We went through the same kind of nonsense early
on in the firewall days - proxy firewalls, stateful turbo
multi-whomping packet examination, etc, etc. Eventually terms
settle down when the marketing folks find a set of features
they can tout that don't cause people to break out in belly
laughter whenever they use it.

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com