Re: host-based ids evaluation

From: Talisker (talisker@networkintrusion.co.uk)
Date: 08/15/02 

From: "Talisker" <talisker@networkintrusion.co.uk>
To: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it>, "Gian Luca Valecchi" <glvalecchi@hotmail.com>
Date: Thu, 15 Aug 2002 10:15:27 +0100

Gian

> Today, in industry not exist a clear definition of HIDS. I think the best
> way to define an HIDS is to focus on
> its pros and cons against an NIDS.

I'd disagree, there are various publications out there that define the
different types of IDS.

a Host IDS looks within the host for evidence of intrusion. Primary focus is
on Syslogs/Event logs, for it to be termed an IDS over an event log manager
some correlation needs to be carried out between events and over time.

A Network IDS looks at the network promiscuously for instrusions on the wire

A Network Node IDS is installed on the network nodes (hosts) and looks non
promiscuously at network traffic destined for that node. What distinguishes
it from a personal firewall is it's ability to identify the type of
intrusion over just the port number and it's ability to report in to an
enterprise manager (though this last requirement is debatable)

A Hybrid IDS combines both the Network Node IDS and Host IDS.

I don't see File Integrity Checkers as Host IDS, I have heard some
discussion as to whether they should even be termed an IDS, same applies to
Honeypots.

HIDS Pros
> 2) Don't have bandwidth problems (looks only at its host traffic);

Most Host IDS Analysts need their HIDS to report events in, individual
console access isn't an option depending on how many hosts you monitor. Try
letting an NT4.0 password expire whilst the user is logged on. Then see the
HIDS scream in pain as it reports in, consuming big chunks of bandwidth.

Take care
-andy

Relevant Pages

  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ...
    (Focus-IDS)
  • RE: host-based ids evaluation
    ... If you are looking at a single system then you are a HIDS, ... You can now get into deeper distinctions regarding types of IDS techniques ... but HIDS vs. NIDS is as simple as the focus for the product. ... HIDS can detect local-to-local attacks (or ...
    (Focus-IDS)
  • Re: NIDS and HIDS
    ... Regarding your Symantec Client Security comment, ... is no HIDS in that product, its more like a basic signature based IDS at ... >Snort, CISCO's IDS appliances, and McAffee's IntruShield. ...
    (Focus-IDS)