R: host-based ids evaluation

From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)
Date: 08/16/02 

From: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it>
To: "Talisker" <talisker@networkintrusion.co.uk>
Date: Fri, 16 Aug 2002 13:18:41 +0200

Andy,

>I'd disagree, there are various publications out there that define the
>different types of IDS.

You are right, but if we are looking at industrial definitions, we can find
a lot of strange things. I know that the correct definition of a HIDS, is an
IDS that looks for attacks at host level, and NIDS watch only for attacks at
network level (ie sniffing the traffic of a subnet). Unfortunately the two
definitions are not so clear, if you think that a NNIDS, looks both at
network level and at host level (it's looking only for host traffic).
However, I'm saying that a definition is more clear, when is not absolute,
but is relative to other stuff.

>A Hybrid IDS combines both the Network Node IDS and Host IDS.

Correct, but an hybrid IDS can be a distributed system too, so IMHO an HIDS
is a subset of a Hybrid IDS.

>I don't see File Integrity Checkers as Host IDS, I have heard some
>discussion as to whether they should even be termed an IDS, same applies to
>Honeypots.

I think FIC are part of a HIDS, because their are looking for anomalies on
the file system of an host, but they do this test, in batch mode, instead of
realtime.

>Most Host IDS Analysts need their HIDS to report events in, individual
>console access isn't an option depending on how many hosts you monitor. Try
>letting an NT4.0 password expire whilst the user is logged on. Then see
the
>HIDS scream in pain as it reports in, consuming big chunks of bandwidth.

Ok, but I know some kind of HIDS that are using buffered alerts, so they
send a kind of alert only one time in a period. However I'm speaking of the
packet dropping issue of NIDS, when I say that NIDS have some bandwith
problem.

Bye

- gianpiero

Ing. Gianpiero Porchia
Security Engineer
ATS - Advanced Telecom Systems
Designing, Testing, Managing Network Quality

Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
E-mail: gianpiero.porchia@atsweb.it
Web site: http://www.atsweb.it

Relevant Pages

  • Re: Host based IDS methodology and testing
    ... Host based IDS methodology and testing ... >Any production experience with any of the above products, ... Time delays in reporting alerts are often very dependent on the ...
    (Focus-IDS)
  • RE: Host based IDS methodology and testing
    ... I've successfully deployed Snort as a HIDS on a number of production servers ... Host based IDS methodology and testing ...
    (Focus-IDS)
  • Re: IDS is dead, etc
    ... > wouldn't call 'em an IDS, I think they're something different, much ... the host. ... Ensure Reliable Performance of Mission Critical Applications ... Precisely Define and Implement Network Security and Performance Policies ...
    (Focus-IDS)
  • [fw-wiz] Corporate H/N IPS
    ... Two new categories will be Host and Network Intrusion Prevention Systems, ... IDS, they actively block traffic deemed as malicious, almost like a firewall ... previous names for a HIPS have included Network Node IDS ...
    (Firewall-Wizards)
  • H/N IPS -what is there?
    ... Prevention Systems it seemed appropriate ... Two new categories will be Host and Network Intrusion Prevention Systems, ... IDS, they actively block traffic deemed as malicious, almost like a firewall ... A HIPS will block an attack aimed at the Host upon which it is ...
    (Focus-IDS)