R: host-based ids evaluation

From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)
Date: 08/14/02 

From: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it>
To: "Gian Luca Valecchi" <glvalecchi@hotmail.com>
Date: Wed, 14 Aug 2002 17:03:26 +0200

Hi,

Today, in industry not exist a clear definition of HIDS. I think the best
way to define an HIDS is to focus on
its pros and cons against an NIDS.
NIDS - Pros
        1) Can monitor an entire subnet (or more);
        2) Indipendent from its protected hosts;
        3) Generally hidden from intruders;
        4) Simple to deploy;
     - Cons
        1) Problems with encrytpted traffic;
        2) Can analyze only a limited bandwitdth (pps and simultaneous
connections);
        3) Can be desynchronized from its protected hosts;
        4) Don't have the concept of users and applications, and what they can do;
        5) Can detect only attacks that involve network communications;
HIDS - Pros
        1) Don't have problems with encrypted traffic (because works on application
level);
        2) Don't have bandwitdth problems (looks only at its host traffic);
        3) Have a clear concept of users (watchs user activity), and applications
(watchs logs and system calls);
        4) Can detect attacks that don't involve network communications (such as
privilege escalations);
     - Cons
        1) Hard to deploy;
        2) Need that its host must be hardened;
        3) Can be attacked like other services;

How you can see, HIDS and NIDS are complementary systems. The NIDS is much
like a plug-n-play IDS, that you can deploy easily on your network, for
watching friend or foe communications, watching for remote-to-local attacks.
But NIDS have their limits. If an attacker can bypass a NIDS, you need
another layer of defense (defense-in-depth), this is when the HIDS comes to
play on. HIDS can detect local-to-local attacks (or local-to-root attacks),
it can detect users that are breaking policies, modifications to critical
files, applications that are behaving in a strange way, everything that can
help you to correlate this behaviour to a successfull remote-to-local
attack. Moreover, HIDS can work like a NIDS, analyzing network traffic, this
HIDS behaviour is named NNIDS (Network Node IDS). When you have NIDS and
HIDS on your network, you have gained a much more complete IDS "coverage".

So if you need to test an HIDS, you need to test its whole system (i.e.
HIDS+NNIDS). You can use tools like Nessus, for testing the NNIDS, but
remember that this tool is only for probing. For a more though test, you
need to test real-world exploits, that can really compromise a system. When
you have gained, example, a shell on the system, you can test the HIDS part,
so you can try to modify critical files, installing a rootkits, etc.
Your HIDS system (as a whole), need to do this basic: tasks

- Application (and kernel) logs analysis;
- Host network traffic monitoring;
- Keep tracks of system configurations;
- Vulnerabilty assessment (checking for weak configurations);
- Policy Management;

AFAIK there aren't tools that can test this tasks at host level, you need to
test them by hand. This kind of test, is much more behaviour-based oriented
than signature-based, so another tasks, that the security officers need for
HIDS management, is:

- statistical analysis and integration with the NIDS alerts.

Moreover, if the attacker have gained the access, to your system, you need
to begin some kind of countermeasures, such as logoff of user, or
applications shutting down, connection backtracing, etc. So your HIDS needs
to:

- execute programs on you system (or system calls).

Finally, you can find a benchmark of some HIDS in the following link:

- http://www.nss.co.uk/ids/index.htm

- gianpiero

Ing. Gianpiero Porchia
Security Engineer
ATS - Advanced Telecom Systems
Designing, Testing, Managing Network Quality

Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
E-mail: gianpiero.porchia@atsweb.it
Web site: http://www.atsweb.it

-----Messaggio originale-----
Da: Gian Luca Valecchi [mailto:glvalecchi@hotmail.com]
Inviato: marted́ 13 agosto 2002 17.05
A: Andrew Plato; focus-ids@securityfocus.com
Oggetto: Re: host-based ids evaluation

Hi Andrew,
thank you for your suggestions.
My boss ordered me to produce a doc in which I've to evaluate ISS RealSecure
ServerSensor (Hybrid ids) focusing on host-based "component".
I'll try the tools you advised to me.
My idea is to install a Server Sensor also on the attacker host, to see if
the ids notifies me the malicious attempts starting from a "protected"
machine.
Which websites are the best ones where I can find tools other from those you
mentioned to me ?

thank you again,
Gianluca

----- Original Message -----
From: "Andrew Plato" <aplato@anitian.com>
To: <glvalecchi@hotmail.com>; <focus-ids@securityfocus.com>
Sent: Tuesday, August 13, 2002 2:18 AM
Subject: Re: host-based ids evaluation

>HI all,
>I'm an IDS newbie, I've to evaluate some host-based IDS products.
>I need some advice about how to setup a fisible testbed.

What HIDS are you evaluating...out of curiosity? There are not very many out
there.

>I would reproduce some attacks from an attacker machine towards two victim
>machines (winnt and solaris) on which I've to install ids sensors:
>I need some pointers to find some attack/evaluation tools to exec towards
>the victim machine inside my testbed.

As for attack tools, there are so many we could spend all day. But a good
open-source tool is Nessus. It can run tons of scans against a machine and
make most IDS's light up like a Christmas tree. Another swell tool is Retina
from eEye Digital. You can download a free-eval copy to bang away at your
HIDS and watch them go.

These are intended as vulnerability scanners, I should note. But any decent
IDS should pick up their scans as events.

>I also know something about IDSwakeup/snot/stick tools; but AFAIK they're
>for network ids evaluation.
>Is there something out there (similar to it) for host-based ids ?
>it could be very useful to me if you would point me the right way.

All of these tools will work on a HIDS. Just configure their scans to be
pointed specifically at the system where the HIDS is running.

------------------------------------
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
------------------------------------

Relevant Pages

  • Re: host-based ids evaluation
    ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ...
    (Focus-IDS)
  • RE: host-based ids evaluation
    ... If you are looking at a single system then you are a HIDS, ... You can now get into deeper distinctions regarding types of IDS techniques ... but HIDS vs. NIDS is as simple as the focus for the product. ... HIDS can detect local-to-local attacks (or ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... Personally, I think in most case HIDS is more of "reactive", and NIDS is ... While NIDS will/can gather all the information on the network. ... > a Host IDS looks within the host for evidence of intrusion. ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)