Re: Hybrid IDS

["Talisker" <Talisker () networkintrusion co uk>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Marcus
Whilst I understand the meaning of hybrid, and fully understand how both
vendors mentioned, (not) could legitimately claim that "hybrid" describes
their products,  I would rather vendors attempted to follow a party line in
product description, thereby avoiding customer confusion.  The best time to
categorize these products is whilst they are still in an embryonic stage of
evolution.    A couple of terms that have already fallen victim are
"information super highway" and "hacker", which both have different meanings
to their original.

I think you are right, terms will eventually settle down, but it would be
"nice" for vendors to agree (LOL) on terminology now, if only so I didn't
have to keep changing my website  ;o)

Take care

Andy
www.networkintrusion.co.uk Listing all known commercial IDS
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Marcus J. Ranum" <mjr () nfr net>
To: "Talisker" <Talisker () networkintrusion co uk>; <ids () uow edu au>;
<FOCUS-IDS () securityfocus com>
Sent: Thursday, September 07, 2000 3:02 PM
Subject: Re: IDS: Hybrid IDS


> Talisker wrote:
> > Of late there has been a spate of vendors climbing aboard the hybrid IDS
> > bandwagon.  As I understand it a hybrid IDS combines a host IDS with a
non
> > promiscuous network IDS on a single host, ideally suited to switched or
> > hi-speed networks.
>
> Not to spur a language debate, but:
>
> The term "hybrid" is usually used as a description for things
> that are a cross between two other things; simply describing
> something as a "hybrid" is meaningless unless you say what
> it is a hybrid _of_. I.e.: a mule is a hybrid of donkey / horse,
> my motorcycle is a hybrid chopper / drag bike, etc.
>
> So, it sounds like the vendors are talking about hybrid
> host / network IDS that latch the bottom of the host's
> IP stack and avoid promiscuous capture - a sort of
> "non-promiscuous network layer host-based IDS" (that might be a
> useful term for it).
>
> > One vendor who has a console that accepts traffic from host IDS and
> > enterprise network IDS has promoted their product as a hybrid IDS.
>
> That's a hybrid also! :) I'd call that something like an
> "cooperating host / network IDS"  but, yes, terminology is
> squishy.
>
> >   Another
> > with a personal firewall has promoted their product as a hybrid IDS.
>
> Yes, that's one of the network layer host based IDS. Many such
> products "reach" up the stack into application space as well
> as just the network layer. So they're definitely a mix of the
> two techniques. (But, other than the fact that they do a bit of
> both, they embody no new rocket science)
>
> One place where the personall firewall / IDS hybrids present an
> interesting challenge to clarity is in performance marketing.
> Since they're operating at a packet level (sort of) an unscrupulous
> vendor (hi! you know who you are!) could claim their performance
> figures in terms of packets processed/second. So the vendor could
> say "in recent tests, our network IDS handled 10,000,000,000
> packets/second!!" without mentioning clearly that this was
> accomplished using a single host on a switch, but the host was
> only looking for attacks directed at itself... Such claims have
> already been made - clearly deceptive, but there you have it.
>
> > Is there a clear cut definition out there somewhere?
>
> You're asking if marketing respects technical language? <giggle>
> I wish...  :(  We went through the same kind of nonsense early
> on in the firewall days - proxy firewalls, stateful turbo
> multi-whomping packet examination, etc, etc. Eventually terms
> settle down when the marketing folks find a set of features
> they can tout that don't cause people to break out in belly
> laughter whenever they use it.
>
> mjr.
> -----
> Marcus J. Ranum
> Chief Technology Officer, Network Flight Recorder, Inc.
> Work:                  http://www.nfr.net
> Personal:              http://www.ranum.com