Security Basics mailing list archives
Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS?
From: lonervamp () gmail com
Date: Mon, 1 Jun 2009 12:03:57 -0600
Excellent question! My answer will be: you should strive to get both HIDS and NIDS. 1. I think I personally have learned just as much or more about my environment from my NIDS than I have from all the HIDS. Just saying, it's a valuable informative detection tool. 2. The target of many hackers is the data, not the server. And the data can be snatched or rerouted on the network without any hosts knowing it. 3. The previous response of a layered approach is correct. If you have a HIDS on your web server, will it know to detect and alert on an application attack? Will a HIDS on one system know when a rogue peer is conducting a recon scan across your network even though it is just hitting 2 ports per host? Or your SQL server is responding to a SQL heads-up to someone it shouldn't be? Basically, what one product may miss, another one may catch. The reverse holds true, a HIDS can detect things a NIDS cannot, especially involving context of traffic. 4. Your HIDS is out the window once you lose one target to an attacker. Just like traditional viruses disabling AV products right away, so too can something you or a user accidentally runs get past the HIDS. And once down, then what? All of your other HIDS-protected boxes will never be able to detect your now-owned box as being bad news. However, your NIDS may detect that box being pivoted across... The chances of your NIDS being attacked directly are slim, imo. (Evasion is another story...) 5. Will you be running HIDS on your network devices? What if someone passes a telnet challenge/response to your router? 6. I've not been impressed with the mess of false alerts and futility of monitoring HIDS across user machines with an infinite number of things users do that cause exceptions or false positives. At least with NIDS I tend to feel like I have a managable scope. A minor nitpick since they both throw positives and give information. You have a great question, by the way and there is no easy answer other than: both offer you value. I would personally never approach it with the goal of dismissing one in favor of the other. <original post> HI, I am thinking that if the target of a hacker is always the server so why I need the NIDS ? I can monitor very well just the servers with some kind of HIDS like Ossec and I am done no? why should I care about the NIDS when I have a well configured HIDS on every server? thanks Juan ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Kel (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Jeffrey Walton (Jun 01)
- <Possible follow-ups>
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Thrynn (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Francois Yang (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? evilwon12 (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Laurens Vets (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Aarón Mizrachi (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? lonervamp (Jun 01)
- RE: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Nick Vaernhoej (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? aditya mukadam (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Aarón Mizrachi (Jun 01)