RE: host-based ids evaluation
From: Kohlenberg, Toby (toby.kohlenberg@intel.com)Date: 08/14/02
- Previous message: roy lo: "Re: IPSec and IDS"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: Kohlenberg, Toby: "RE: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com> To: "'Gianpiero Porchia'" <gianpiero.porchia@atsweb.it>, Gian Luca Valecchi <glvalecchi@hotmail.com> Date: Wed, 14 Aug 2002 14:33:43 -0700
All opinions are my own and in no way reflect the views of my employer.
I'd have to disagree, not with the list you give or with the statement
that they are complementary but that the best way to define a HIDS is
by comparing it to NIDS.
Having looked at a bunch of definitions, I've found a single question
provides a good definition:
Is the product looking at events for a network or a system?
If you are looking at a single system then you are a HIDS, even if you are
watching network traffic for that single system.
You can now get into deeper distinctions regarding types of IDS techniques
but HIDS vs. NIDS is as simple as the focus for the product.
toby
> -----Original Message-----
> From: Gianpiero Porchia [mailto:gianpiero.porchia@atsweb.it]
> Sent: Wednesday, August 14, 2002 8:03 AM
> To: Gian Luca Valecchi
> Cc: IDS Focus
> Subject: R: host-based ids evaluation
>
>
> Hi,
>
> Today, in industry not exist a clear definition of HIDS. I
> think the best
> way to define an HIDS is to focus on
> its pros and cons against an NIDS.
> NIDS - Pros
> 1) Can monitor an entire subnet (or more);
> 2) Indipendent from its protected hosts;
> 3) Generally hidden from intruders;
> 4) Simple to deploy;
> - Cons
> 1) Problems with encrytpted traffic;
> 2) Can analyze only a limited bandwitdth (pps and simultaneous
> connections);
> 3) Can be desynchronized from its protected hosts;
> 4) Don't have the concept of users and applications,
> and what they can do;
> 5) Can detect only attacks that involve network communications;
> HIDS - Pros
> 1) Don't have problems with encrypted traffic (because
> works on application
> level);
> 2) Don't have bandwitdth problems (looks only at its
> host traffic);
> 3) Have a clear concept of users (watchs user
> activity), and applications
> (watchs logs and system calls);
> 4) Can detect attacks that don't involve network
> communications (such as
> privilege escalations);
> - Cons
> 1) Hard to deploy;
> 2) Need that its host must be hardened;
> 3) Can be attacked like other services;
>
> How you can see, HIDS and NIDS are complementary systems. The
> NIDS is much
> like a plug-n-play IDS, that you can deploy easily on your
> network, for
> watching friend or foe communications, watching for
> remote-to-local attacks.
> But NIDS have their limits. If an attacker can bypass a NIDS, you need
> another layer of defense (defense-in-depth), this is when the
> HIDS comes to
> play on. HIDS can detect local-to-local attacks (or
> local-to-root attacks),
> it can detect users that are breaking policies, modifications
> to critical
> files, applications that are behaving in a strange way,
> everything that can
> help you to correlate this behaviour to a successfull remote-to-local
> attack. Moreover, HIDS can work like a NIDS, analyzing
> network traffic, this
> HIDS behaviour is named NNIDS (Network Node IDS). When you
> have NIDS and
> HIDS on your network, you have gained a much more complete
> IDS "coverage".
>
> So if you need to test an HIDS, you need to test its whole
> system (i.e.
> HIDS+NNIDS). You can use tools like Nessus, for testing the NNIDS, but
> remember that this tool is only for probing. For a more
> though test, you
> need to test real-world exploits, that can really compromise
> a system. When
> you have gained, example, a shell on the system, you can test
> the HIDS part,
> so you can try to modify critical files, installing a rootkits, etc.
> Your HIDS system (as a whole), need to do this basic: tasks
>
> - Application (and kernel) logs analysis;
> - Host network traffic monitoring;
> - Keep tracks of system configurations;
> - Vulnerabilty assessment (checking for weak configurations);
> - Policy Management;
>
> AFAIK there aren't tools that can test this tasks at host
> level, you need to
> test them by hand. This kind of test, is much more
> behaviour-based oriented
> than signature-based, so another tasks, that the security
> officers need for
> HIDS management, is:
>
> - statistical analysis and integration with the NIDS alerts.
>
> Moreover, if the attacker have gained the access, to your
> system, you need
> to begin some kind of countermeasures, such as logoff of user, or
> applications shutting down, connection backtracing, etc. So
> your HIDS needs
> to:
>
> - execute programs on you system (or system calls).
>
> Finally, you can find a benchmark of some HIDS in the following link:
>
> - http://www.nss.co.uk/ids/index.htm
>
>
> - gianpiero
>
> Ing. Gianpiero Porchia
> Security Engineer
> ATS - Advanced Telecom Systems
> Designing, Testing, Managing Network Quality
>
> Via Salgari, 17 - 41100 Modena - ITALY
> Tel +39 059 821332
> Fax +39 059 821492
> E-mail: gianpiero.porchia@atsweb.it
> Web site: http://www.atsweb.it
>
>
> -----Messaggio originale-----
> Da: Gian Luca Valecchi [mailto:glvalecchi@hotmail.com]
> Inviato: marted́ 13 agosto 2002 17.05
> A: Andrew Plato; focus-ids@securityfocus.com
> Oggetto: Re: host-based ids evaluation
>
>
> Hi Andrew,
> thank you for your suggestions.
> My boss ordered me to produce a doc in which I've to evaluate
> ISS RealSecure
> ServerSensor (Hybrid ids) focusing on host-based "component".
> I'll try the tools you advised to me.
> My idea is to install a Server Sensor also on the attacker
> host, to see if
> the ids notifies me the malicious attempts starting from a "protected"
> machine.
> Which websites are the best ones where I can find tools other
> from those you
> mentioned to me ?
>
> thank you again,
> Gianluca
>
>
> ----- Original Message -----
> From: "Andrew Plato" <aplato@anitian.com>
> To: <glvalecchi@hotmail.com>; <focus-ids@securityfocus.com>
> Sent: Tuesday, August 13, 2002 2:18 AM
> Subject: Re: host-based ids evaluation
>
>
> >HI all,
> >I'm an IDS newbie, I've to evaluate some host-based IDS products.
> >I need some advice about how to setup a fisible testbed.
>
> What HIDS are you evaluating...out of curiosity? There are
> not very many out
> there.
>
> >I would reproduce some attacks from an attacker machine
> towards two victim
> >machines (winnt and solaris) on which I've to install ids sensors:
> >I need some pointers to find some attack/evaluation tools to
> exec towards
> >the victim machine inside my testbed.
>
> As for attack tools, there are so many we could spend all
> day. But a good
> open-source tool is Nessus. It can run tons of scans against
> a machine and
> make most IDS's light up like a Christmas tree. Another swell
> tool is Retina
> from eEye Digital. You can download a free-eval copy to bang
> away at your
> HIDS and watch them go.
>
> These are intended as vulnerability scanners, I should note.
> But any decent
> IDS should pick up their scans as events.
>
> >I also know something about IDSwakeup/snot/stick tools; but
> AFAIK they're
> >for network ids evaluation.
> >Is there something out there (similar to it) for host-based ids ?
> >it could be very useful to me if you would point me the right way.
>
> All of these tools will work on a HIDS. Just configure their
> scans to be
> pointed specifically at the system where the HIDS is running.
>
> ------------------------------------
> Andrew Plato, CISSP
> President / Principal Consultant
> Anitian Corporation
>
> (503) 644-5656 office
> (503) 201-0821 cell
> http://www.anitian.com
> ------------------------------------
>
- Previous message: roy lo: "Re: IPSec and IDS"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: Kohlenberg, Toby: "RE: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
