RE: NIDS and HIDS

["Chris Petersen" <chris.petersen () security-conscious com>]

***** VENDOR RESPONSE ******

As some of the responses to your post mentioned, you might consider
using a Security Event Management product combined with open-source
tools to meet your end needs.  I can't speak to other SIM/SEMS
capabilities but with our product (LogRhythm) you could:

- Use open source Snort on Linux for NIDS.  SEM Agent can forward logs
encrypted or forward to SEM Syslog server
- Use SEM agents to collect logs from servers
- Use SEM agent to collect logs written to flat file
- Use SEM agent to remotely pull Windows Event Logs
- Use SEM agent to perform file integrity and system monitoring
- Forward logs from syslog and snmp reporting devices (e.g., routers,
switches, firewalls) to SEM Syslog/SNMP server

Most SEM's have some or all of the above capabilities.  Where many of
them differ is in how they manage the logs.  Many SEM's don't do much
with the raw log data other than determine if it is an event or not.  In
many cases if its not an event, the log is thrown away.  We have taken a
different approach in that we have seperated log management from event
identification/management.  Logs are stored at one level, analyzed, and
if matching a rule, forwarded as an event.  The advantage of this
approach is that you maintain all log data for analysis purposes but
only high-risk logs (as determined by the user) are forwarded as events.
Our customers have found this architecture extremely useful since it
allows them to "turn up" their IDS sensors since they can filter the
alarms at the log management level and only forward high value alarms as
events.  This way they are able to collect all the noisy,
high-false-positive and/or forensic alarms without inundating the event
manager with too much noise. If they need to investigate something, they
can pull other non-forwarded IDS alarms (and other non-forwarded logs)
from the log management layer.  

I think the bottom line is that if you are looking at performing network
monitoring across NIDS, HIDS, and logs, you might want to start at the
center (the SEM) and move outward (the collectors).  Imo, NIDS/HIDS/Logs
are most valuable when they can be effectively and timely monitored and
analyzed. Having spent the last two years building a SEM this is not
something to take lightly in putting together yourself via a Syslog
server and MySQL.  The process of collecting, parsing, and normalizing
logs from devices reporting in non-standard formats into a usable
report/monitoring format and then developing the monitoring/reporting
tools is not trivial, you can probably count on 1 person, full time for
the next 12 months for engineering alone.

I think by beginning with the SEM you might be able to combine your
existing investment in security technologies with open-source to have a
more effective and less expensive end solution.

Chris Petersen
President/CTO, Security Conscious, Inc.
www.logrhythm.com

-----Original Message-----
From: Youngquist, Jason R. [mailto:jryoungquist () ccis edu] 
Sent: Monday, November 29, 2004 1:49 PM
To: Focus IDS List
Subject: NIDS and HIDS


I just recently started a new job as a network security analyst and one
of my projects is to implement an intrusion detection system.  I've been
doing some research and pursuing the listserv archives and was wondering
if anyone had any thoughts/opinions.


For NIDS's, I've been looking at SourceFire's commercialized version of
Snort, CISCO's IDS appliances, and McAffee's IntruShield.


For HIDS's, there appears to be three main categories:  monitoring the
host's file system, the host's network connections, and the host's log
files. --Host's file system:  I'm looking at Tripwire Manager, Tripwire
for Servers, and Tripwire for Network Devices.

--Host's network connections:  I'm looking for an enterprise-wide
solution that we can roll out to all the Windows XP machines and
centrally manage.  Since we already use Symantec for anti-virus,
Symantec's Client Security 2.0 seems to incorporate a centrally managed
personal firewall, HIDS, and anti-virus capability. 

--Host's log files:  I'm looking at implementing a centralized
syslog/syslog-ng server on a Linux box and having all Windows XP boxes
and network devices log to it.  I'd also stick the data into a MySQL
database to allow for easy querying.

I'd like to have an analysis program that would take data from the NIDS,
HIDS, syslog, and tripwire logs, put it all together, and be able to
give me some useful charts and graphical summaries so management can see
that their money was well spent in securing the organization's
infrastructure.


Thanks.
Jason Youngquist


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------