Re: host-based ids evaluation

From: Talisker (talisker@networkintrusion.co.uk)
Date: 08/15/02 

From: "Talisker" <talisker@networkintrusion.co.uk>
To: "roy lo" <roylo@sr2c.com>
Date: Thu, 15 Aug 2002 21:34:31 +0100

Roy

> NIDS and HIDS are like pans and pots in my opinion; they are similar,
"Pots and Pans" pretty much hits the nail on the head which reiterates what
Toby was saying earlier, they are very different beasts, it is also worth
noting that there is rarely any correlation between events generated by NIDS
and HIDS unless a full compromise has occurred (have you experienced
anything different). HIDS can also be very noisy, personally I prefer to
see the data from HIDS and NIDS on separate co located screens. Maybe this
is personal preference and a topic for another thread. I like to see slow
moving events on lots of screens rather than one screen of "blink and you
miss it" More screens also generate more budget as it helps to impress those
that don't understand what's on the screens.

> Because of that nature I think NIDS is more proactive and HIDS is more
> reactive (again, this is the general ideal. *there is always expectations
> to everything)

As to reactive and proactive I think they are both reactive..... I see a
vulnerability scanner as proactive, identifying the holes before they are
exploited......What if the attack is generated from within the scope of your
HIDS coverage, the HIDS may spot the privilege escalation etc prior to an
attack going out onto the wire and therefore prior to being seen by the
NIDS.....An exception could be an Inline IDS which stops the attacks getting
through at the gateway.

thoughts??

-andy

http://www.networkintrusion.co.uk

----- Original Message -----
From: "roy lo" <roylo@sr2c.com>
To: "Talisker" <talisker@networkintrusion.co.uk>
Cc: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it>; "Gian Luca Valecchi"
<glvalecchi@hotmail.com>; "IDS Focus" <focus-ids@securityfocus.com>
Sent: Thursday, August 15, 2002 8:03 PM
Subject: Re: host-based ids evaluation

> I agree with you(andy), but I would like to add something to it.
> Personally, I think in most case HIDS is more of "reactive", and NIDS is
> more towards "proactive".
> (NIDS = Proactive
> HIDS = Reactive)
>
> And let me explain why I'm saying this. Basicly HIDS only collects
> information/logs when the (pre)attacks has hit the host itself.
> While NIDS will/can gather all the information on the network.
>
> Because of that nature I think NIDS is more proactive and HIDS is more
> reactive (again, this is the general ideal. *there is always expections
> to everything)
>
> NIDS and HIDS are like pans and pots in my opinion; they are similar,
> but they works differently. Ofcourse you can use your pots to cook fry
> eggs, but it is not recommand ^_^
>
> as for my setup
> HIDS goes on my gateway
> and NIDS will monitor the network activity under that (or above if I
> more $$$ to spend)
>
> this is just my .02 cents
>
>
>
> Talisker wrote:
> > Gian
> >
> >
> >>Today, in industry not exist a clear definition of HIDS. I think the
best
> >>way to define an HIDS is to focus on
> >>its pros and cons against an NIDS.
> >
> >
> > I'd disagree, there are various publications out there that define the
> > different types of IDS.
> >
> > a Host IDS looks within the host for evidence of intrusion. Primary
focus is
> > on Syslogs/Event logs, for it to be termed an IDS over an event log
manager
> > some correlation needs to be carried out between events and over time.
> >
> > A Network IDS looks at the network promiscuously for instrusions on the
wire
> >
> > A Network Node IDS is installed on the network nodes (hosts) and looks
non
> > promiscuously at network traffic destined for that node. What
distinguishes
> > it from a personal firewall is it's ability to identify the type of
> > intrusion over just the port number and it's ability to report in to an
> > enterprise manager (though this last requirement is debatable)
> >
> > A Hybrid IDS combines both the Network Node IDS and Host IDS.
> >
> > I don't see File Integrity Checkers as Host IDS, I have heard some
> > discussion as to whether they should even be termed an IDS, same applies
to
> > Honeypots.
> >
> > HIDS Pros
> >
> >>2) Don't have bandwidth problems (looks only at its host traffic);
> >
> >
> > Most Host IDS Analysts need their HIDS to report events in, individual
> > console access isn't an option depending on how many hosts you monitor.
Try
> > letting an NT4.0 password expire whilst the user is logged on. Then see
the
> > HIDS scream in pain as it reports in, consuming big chunks of bandwidth.
> >
> > Take care
> > -andy
> >
> >
>
>
> --
> Roy Lo
> Freelance Consultant
> E-mail - roylo@sr2c.com
>
>
> Sun Certified Network Administrator (SCNA)
> Sun Certified System Administrator (SCSA)
> Cisco Certified Network Associate (CCNA)
>

Relevant Pages

  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)
  • Re: ASIC-based vs. Software-based Security Platform
    ... With the emergence of network processors and the FPGA ... >>and the future direction of IDS. ... I can't say it's NIDS is as ... > new ASICs, however, there is a LOT of resistance to ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... That is why NIDS is proactive, it will log the network traffic patterns ... As for NIDS and HIDS they work differently, ... >>>different types of IDS. ...
    (Focus-IDS)
  • RE: Microsoft Cluster in DMZ - Need Advice
    ... IDS to supplement our NIDS?" ... DMZ thingy with IPSec etc, ... attempts to secure my network. ...
    (Focus-Microsoft)
  • Re: IDS is dead, etc
    ... I think we are on the same page as to the utility of IDS systems. ... I really like your description of NIDS as AV scanners for the network. ... **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo ...
    (Focus-IDS)