Re: HIDS vs. NIDS market stats?

["Talisker" <Talisker () networkintrusion co uk>]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Greg

Sorry I've been away for a while and missed the start of the debate, so if
what I'm about to say is complete cr*p or a repeat please forgive me

The problem as I see it is that a single NIDS will cover 100's of hosts
whereas generally every host or at least all the servers need to have
individual HIDS agents.  Therefore a purely numeric comparision wouldn't be
accurate

Moreover, traditionally, IDS has meant NIDS so when companies purchase an
IDS they get a NIDS it seems that HIDS get purchased when a company looks
for defense in depth (not always the case).  This can be somewhat justified
by the different results, when trying to compare the 2, in infantry English,
I use the following fishing analogy:

Deploying a network IDS (internal network) is like shark fishing, you rarely
get a bite but when you catch a good one you could feed a village for a
week.  A host IDS is like mackerel (do you have them in the US) fishing, you
generally catch them often but each one will only feed a single person.

Please don't feel insulted by the above analogy,  I realise you know your
way around the differing IDS categories far better than I.  I'm just trying
to get the point out that with a NIDS you can get better results than with a
HIDS and if I were to have to choose I'd always go for the NIDS.  This is
offset to a small degree by the need to audit router/firewall/event/syslogs
(policy?) what better way to do this than with a HIDS.

Greg I realise now that this hasn't helped you in the slightest with your
quest, but felt the urge to respond, though I think you are probably correct
in suspecting there are more NIDS than HIDS.

Take care and keep up the good work

Andy
PS no flames please about how inaccurate my little analogy is, I'm also
getting lots of bites on my NIDS and they are mostly false positves
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List

Security Tools Notification
http://groups.yahoo.com/group/security-tools/join
----- Original Message -----
From: "Greg Shipley" <gshipley () neohapsis com>
To: <FOCUS-IDS () securityfocus com>; <ids () uow edu au>
Sent: Wednesday, May 23, 2001 10:49 AM
Subject: IDS: HIDS vs. NIDS market stats?


> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------------------
---
> Does anyone know of any market research papers that have stats comparing
> the number of HIDS licenses shipped vs. NIDS licenses?  Or heck, anything
> that BALLPARKS estimated deployment numbers?
>
> What I'm trying to find out is which type is more prevalent in the
> commercial space.  *trying to dodge the tripwire debate*  My guess is
> NIDS, but I have nothing to back this up...
>
> Thanks,
>
> -Greg