Security Basics mailing list archives

RE: A good question about NIDS & HIDS or why NIDS ant not just HIDS?

From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 29 May 2009 08:28:34 -0500

Imagine a simple topology as
Internet--Firewall--Switch--ServersWithHIDS.

If your attacker gets all the way through to your servers and they
become his "property", you really can't trust or rely on an intrusion
detection/prevention mechanism on those servers.

But if you were to connect an intrusion detection/prevention mechanism
to a mirrored port on the switch, then you can lose your servers and
still be aware you just lost all your servers.

I am not making an argument for which mechanism is better, but rather
that they complement each other very well.

Nick

-> -----Original Message-----
-> From: listbounce () securityfocus com
-> [mailto:listbounce () securityfocus com] On Behalf Of Juan B
-> Sent: Tuesday, May 26, 2009 7:47 PM
-> To: security basics
-> Subject: A good question about NIDS & HIDS or why NIDS ant not just
-> HIDS?
->
->
-> HI,
->
-> I am thinking that if the target of a hacker is always the server so
-> why I need the NIDS ? I can monitor very well just the servers with
-> some kind of HIDS like Ossec and I am done no? why should I care
about
-> the NIDS when I have a well configured HIDS on every server?
->
-> thanks
->
-> Juan

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please
notify the sender that this message was received in error and then delete this message.
Thank you.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Kel (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Jeffrey Walton (Jun 01)
- <Possible follow-ups>
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Thrynn (Jun 01)
  - Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Francois Yang (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? evilwon12 (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Laurens Vets (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Aarón Mizrachi (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? lonervamp (Jun 01)
- RE: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Nick Vaernhoej (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? aditya mukadam (Jun 01)
- Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS? Aarón Mizrachi (Jun 01)