Re: host-based ids evaluation
From: roy lo (roylo@sr2c.com)Date: 08/15/02
- Previous message: Adam Powers: "RE: Ethernet tap vs. spanned port"
- In reply to: Talisker: "Re: host-based ids evaluation"
- Next in thread: Kurt Seifried: "Re: host-based ids evaluation"
- Next in thread: Talisker: "Re: host-based ids evaluation"
- Reply: Kurt Seifried: "Re: host-based ids evaluation"
- Reply: Talisker: "Re: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 Aug 2002 12:03:04 -0700 From: roy lo <roylo@sr2c.com> To: Talisker <talisker@networkintrusion.co.uk>
I agree with you(andy), but I would like to add something to it.
Personally, I think in most case HIDS is more of "reactive", and NIDS is
more towards "proactive".
(NIDS = Proactive
HIDS = Reactive)
And let me explain why I'm saying this. Basicly HIDS only collects
information/logs when the (pre)attacks has hit the host itself.
While NIDS will/can gather all the information on the network.
Because of that nature I think NIDS is more proactive and HIDS is more
reactive (again, this is the general ideal. *there is always expections
to everything)
NIDS and HIDS are like pans and pots in my opinion; they are similar,
but they works differently. Ofcourse you can use your pots to cook fry
eggs, but it is not recommand ^_^
as for my setup
HIDS goes on my gateway
and NIDS will monitor the network activity under that (or above if I
more $$$ to spend)
this is just my .02 cents
Talisker wrote:
> Gian
>
>
>>Today, in industry not exist a clear definition of HIDS. I think the best
>>way to define an HIDS is to focus on
>>its pros and cons against an NIDS.
>
>
> I'd disagree, there are various publications out there that define the
> different types of IDS.
>
> a Host IDS looks within the host for evidence of intrusion. Primary focus is
> on Syslogs/Event logs, for it to be termed an IDS over an event log manager
> some correlation needs to be carried out between events and over time.
>
> A Network IDS looks at the network promiscuously for instrusions on the wire
>
> A Network Node IDS is installed on the network nodes (hosts) and looks non
> promiscuously at network traffic destined for that node. What distinguishes
> it from a personal firewall is it's ability to identify the type of
> intrusion over just the port number and it's ability to report in to an
> enterprise manager (though this last requirement is debatable)
>
> A Hybrid IDS combines both the Network Node IDS and Host IDS.
>
> I don't see File Integrity Checkers as Host IDS, I have heard some
> discussion as to whether they should even be termed an IDS, same applies to
> Honeypots.
>
> HIDS Pros
>
>>2) Don't have bandwidth problems (looks only at its host traffic);
>
>
> Most Host IDS Analysts need their HIDS to report events in, individual
> console access isn't an option depending on how many hosts you monitor. Try
> letting an NT4.0 password expire whilst the user is logged on. Then see the
> HIDS scream in pain as it reports in, consuming big chunks of bandwidth.
>
> Take care
> -andy
>
>
-- Roy Lo Freelance Consultant E-mail - roylo@sr2c.comSun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA) Cisco Certified Network Associate (CCNA)
- Previous message: Adam Powers: "RE: Ethernet tap vs. spanned port"
- In reply to: Talisker: "Re: host-based ids evaluation"
- Next in thread: Kurt Seifried: "Re: host-based ids evaluation"
- Next in thread: Talisker: "Re: host-based ids evaluation"
- Reply: Kurt Seifried: "Re: host-based ids evaluation"
- Reply: Talisker: "Re: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
