Saturday, April 7, 2007

Intrusions Detection Systems (HIDS vs. NIDS)

This post will list some of the advantages and disadvantages of network and host based intrusion detection systems. Let's start with Host-based instrusion systems or (HIDS).

HIDS advantages:
  • Ability to use things on the system like logs, system services, registry events, etc.

HIDS disadvantages:

  • By the time the HIDS system detects an attack, it's probably too late
  • Uses system resources since it's running on the host.

NIDS advantages:

  • Usually a separate box, so it doesn't take any cycles from the system (no additional overhead).
  • Good for detecting unauthorized outsider access and bandwidth theft or denial of service attacks.
  • Fairly easy to implement
  • Doesn't affect the speed of the network

NIDS disadvantages:

  • Most people don't correctly size and plan for traffic growth (Once the NIDS gets overloaded and begins dropping packets, you can't trust anything coming from it)
  • Only able to look at packets on the wire and it's unable to see anything like audit records, etc., that would be on a system you're protecting.
  • Susceptible to "low and slow" attacks

It's best to use a combination of both NIDS and HIDS. Typically vpn gateways, web, mail, dns, etc., servers cannot handle the additional overhead of HIDS agents. A good strategy is to use a NIDS and something like Tripwire (a System Integrity Verifier) set to a long alert cycle (~24 hours) for lower overhead. These servers are especially important to protect since about 33% of attacks are aimed against these high value servers.

No comments: