Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS?

On Martes 26 Mayo 2009 20:16:56 Juan B escribió:
HI,

I am thinking that if the target of a hacker is always the server so why I
need the NIDS ? I can monitor very well just the servers with some kind of
HIDS like Ossec and I am done no? why should I care about the NIDS when I
have a well configured HIDS on every server?


Well, depends on the situation of your network...

ex. You have a dbserver having the database of your company accounting, and
you have a webserver to manage this database... There is two important servers
on your network...

Supposing that this servers can only be accessed from your internal network,
you will only secure both servers, and not to monitor the whole network...

In the fact, your servers will be protected to conventional attacks... but...

What about the routers?
What about the switches...
What about the end computers?

An attacker could deploy an attack to your switch like Man in the middle, or
can attack your router forwarding the connections to a malicious computer
having a imitation of your webserver...

This malicious imitation will save and record all login tries and their
passwords... And then...

Your server with HIDS will be secure, but, the information traveling across
the network not.

---------

Yes, there is a possibility to secure the communication, you can install SSL
certificates at both extremes of the conection (server and client)...

But, this could also be broken if the hacker hack into client machine.

thanks

Juan




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means
you pass the exam. Gain a laser like insight into what is covered on the
exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • Re: Port 80 SYN flood-like behavior
    ... > were on the receiving end of such an attack a little over one month ago. ... > across a LARGE number of TCP servers. ... > SYN/ACK packets ... ... Traffic reflection off routers ...
    (Incidents)
  • [REVS] DNS Amplification Attacks
    ... DNS Amplification Attacks ... One of the networks under attack indicated some ... exploited name servers. ...
    (Securiteam)
  • Analysis of SSH crc32 compensation attack detector exploit
    ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ...
    (Incidents)
  • Re: Strange DoS / new halflife server bug? (Update)
    ... misconfigured/old versions of halflife servers. ... The public available exploits CANNOT create this attack. ... service attack (e.g. read possible vulnerable servers from a file). ... > world's premier technical IT security event! ...
    (Incidents)
  • Re: What is a Denial of Service Attack?
    ... All resources (whether they are web servers, dns servers, file servers ... Denial of Service attack. ... Most often, the requests come from, or pretend to come from, different ... The SYN flag set in each packet is a request to open a new connection ...
    (comp.security.firewalls)