Saturday, October 10, 2009

Intrusion Detection Systems (HIDS and NIDS)

Someone recently mentioned that they took the CompTIA Security+ SY0-201 exam and had several IDS questions such as HIDS and NIDS. This makes a lot of sense since these are heavily covered on the objectives. Here are some of the basics:

An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:

  • Installed on a host computer such as a workstation or server
  • It is used primarily to monitor traffic going through the NIC of the host
  • Can consume resources of the workstation
  • Can monitor network traffic sent to the host or coming from the host only
  • Data stored locally (on the host)
  • Installed on network devices (such as firewalls, routers or switches)
  • These devices are referred to as sensors or tabs
  • Data centrally managed - sensors report back to a central console
  • Cannot monitor encrypted traffic on individual hosts
Both types can use either signature-based detection or anomaly-based detection.

The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)

A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts

Also, both types can have either a passive or active response.

Passive Response
Alerts are logged and personnel are typically notified.

Active Response
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.

Darril Gibson