Re: host-based ids evaluation

From: roy lo (roylo@sr2c.com)
Date: 08/15/02 

Date: Thu, 15 Aug 2002 14:48:12 -0700
From: roy lo <roylo@sr2c.com>
To: Talisker <talisker@networkintrusion.co.uk>

I think you are missing out the fact that there ought to be script that
do a preview the logs and sending alarm base on it.
That is why NIDS is proactive, it will log the network traffic patterns
which it will then compare it with the condition you(sys admin) wrote.
In one of my older post I have mention that sys admin is "suppose" to
write those script and set those enviroment up. (sadly, nowdays' sys
admin are generally less skillfull compare to the old days)

As for NIDS and HIDS they work differently, HIDS can't detect anything
unless the "event" has hit/passthrough the host. (ie. HIDS on gateway)
while NIDS can read through the patterns of the abnormal traffic, thus
put an alarm on it. (as simple example would be various portscan
activites coming out from a single host) [and the alarm has separe level
according to the patterns]

Can you see the point I trying to make?

Talisker wrote:
> Roy
>
>
>>NIDS and HIDS are like pans and pots in my opinion; they are similar,
>
> "Pots and Pans" pretty much hits the nail on the head which reiterates what
> Toby was saying earlier, they are very different beasts, it is also worth
> noting that there is rarely any correlation between events generated by NIDS
> and HIDS unless a full compromise has occurred (have you experienced
> anything different). HIDS can also be very noisy, personally I prefer to
> see the data from HIDS and NIDS on separate co located screens. Maybe this
> is personal preference and a topic for another thread. I like to see slow
> moving events on lots of screens rather than one screen of "blink and you
> miss it" More screens also generate more budget as it helps to impress those
> that don't understand what's on the screens.
>
>
>>Because of that nature I think NIDS is more proactive and HIDS is more
>>reactive (again, this is the general ideal. *there is always expectations
>>to everything)
>
>
> As to reactive and proactive I think they are both reactive..... I see a
> vulnerability scanner as proactive, identifying the holes before they are
> exploited......What if the attack is generated from within the scope of your
> HIDS coverage, the HIDS may spot the privilege escalation etc prior to an
> attack going out onto the wire and therefore prior to being seen by the
> NIDS.....An exception could be an Inline IDS which stops the attacks getting
> through at the gateway.
>
> thoughts??
>
> -andy
>
> http://www.networkintrusion.co.uk
>
>
>
>
>
> ----- Original Message -----
> From: "roy lo" <roylo@sr2c.com>
> To: "Talisker" <talisker@networkintrusion.co.uk>
> Cc: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it>; "Gian Luca Valecchi"
> <glvalecchi@hotmail.com>; "IDS Focus" <focus-ids@securityfocus.com>
> Sent: Thursday, August 15, 2002 8:03 PM
> Subject: Re: host-based ids evaluation
>
>
>
>>I agree with you(andy), but I would like to add something to it.
>>Personally, I think in most case HIDS is more of "reactive", and NIDS is
>>more towards "proactive".
>>(NIDS = Proactive
>> HIDS = Reactive)
>>
>>And let me explain why I'm saying this. Basicly HIDS only collects
>>information/logs when the (pre)attacks has hit the host itself.
>>While NIDS will/can gather all the information on the network.
>>
>>Because of that nature I think NIDS is more proactive and HIDS is more
>>reactive (again, this is the general ideal. *there is always expections
>>to everything)
>>
>>NIDS and HIDS are like pans and pots in my opinion; they are similar,
>>but they works differently. Ofcourse you can use your pots to cook fry
>>eggs, but it is not recommand ^_^
>>
>>as for my setup
>>HIDS goes on my gateway
>>and NIDS will monitor the network activity under that (or above if I
>>more $$$ to spend)
>>
>>this is just my .02 cents
>>
>>
>>
>>Talisker wrote:
>>
>>>Gian
>>>
>>>
>>>
>>>>Today, in industry not exist a clear definition of HIDS. I think the
>>>
> best
>
>>>>way to define an HIDS is to focus on
>>>>its pros and cons against an NIDS.
>>>
>>>
>>>I'd disagree, there are various publications out there that define the
>>>different types of IDS.
>>>
>>>a Host IDS looks within the host for evidence of intrusion. Primary
>>
> focus is
>
>>>on Syslogs/Event logs, for it to be termed an IDS over an event log
>>
> manager
>
>>>some correlation needs to be carried out between events and over time.
>>>
>>>A Network IDS looks at the network promiscuously for instrusions on the
>>
> wire
>
>>>A Network Node IDS is installed on the network nodes (hosts) and looks
>>
> non
>
>>>promiscuously at network traffic destined for that node. What
>>
> distinguishes
>
>>>it from a personal firewall is it's ability to identify the type of
>>>intrusion over just the port number and it's ability to report in to an
>>>enterprise manager (though this last requirement is debatable)
>>>
>>>A Hybrid IDS combines both the Network Node IDS and Host IDS.
>>>
>>>I don't see File Integrity Checkers as Host IDS, I have heard some
>>>discussion as to whether they should even be termed an IDS, same applies
>>
> to
>
>>>Honeypots.
>>>
>>>HIDS Pros
>>>
>>>
>>>>2) Don't have bandwidth problems (looks only at its host traffic);
>>>
>>>
>>>Most Host IDS Analysts need their HIDS to report events in, individual
>>>console access isn't an option depending on how many hosts you monitor.
>>
> Try
>
>>>letting an NT4.0 password expire whilst the user is logged on. Then see
>>
> the
>
>>>HIDS scream in pain as it reports in, consuming big chunks of bandwidth.
>>>
>>>Take care
>>>-andy
>>>
>>>
>>
>>
>>--
>>Roy Lo
>>Freelance Consultant
>>E-mail - roylo@sr2c.com
>>
>>
>>Sun Certified Network Administrator (SCNA)
>>Sun Certified System Administrator (SCSA)
>>Cisco Certified Network Associate (CCNA)
>>
>
> 

-- 
Roy Lo
Freelance Consultant
E-mail -  roylo@sr2c.com

Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)

Relevant Pages

  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)
  • Re: ASIC-based vs. Software-based Security Platform
    ... With the emergence of network processors and the FPGA ... >>and the future direction of IDS. ... I can't say it's NIDS is as ... > new ASICs, however, there is a LOT of resistance to ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... noting that there is rarely any correlation between events generated by NIDS ... HIDS can also be very noisy, ... NIDS.....An exception could be an Inline IDS which stops the attacks getting ... > and NIDS will monitor the network activity under that (or above if I ...
    (Focus-IDS)
  • RE: Microsoft Cluster in DMZ - Need Advice
    ... IDS to supplement our NIDS?" ... DMZ thingy with IPSec etc, ... attempts to secure my network. ...
    (Focus-Microsoft)
  • Re: IDS is dead, etc
    ... I think we are on the same page as to the utility of IDS systems. ... I really like your description of NIDS as AV scanners for the network. ... **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo ...
    (Focus-IDS)