Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS?

[Francois Yang <francois.y () gmail com>]

You have to think defense in depth.
Yes an attacker may want to go after your data on your servers, but
they may not hit your servers directly.
what if they get to a workstation and use that workstation as a
launching point to get into the server?
To the server it may look like a workstation/user doing regular work
so no triggers are tripped or the attacks can be mixed up with all the
legitimate traffic from the workstation that you may not pay close
attention to it.
Using a NIDS, may help you detect the malicious activities from and
against the workstation.

Frank


On Fri, May 29, 2009 at 11:20 AM, Thrynn <thrynn404 () gmail com> wrote:
> Without knowing your infrastructure (number of servers, desktops,
> routers, etc) it is hard to say whether you should care about a
> network based detection system or not. If you have only one server,
> then you certainly can say that it will be the only target, otherwise,
> how can you be sure? In a larger network, NIDS can possibly give you
> an *earlier* indication that something is happening, before your HIDS
> gets tripped. I don't think one is a replacement for another and since
> you point to a free HIDS, certainly cost isn't a limiting factor since
> there is a free NIDS.
>
> On Tue, May 26, 2009 at 8:46 PM, Juan B <juanbabi () yahoo com> wrote:
> > HI,
> >
> > I am thinking that if the target of  a hacker is always the server so why I need the NIDS ? I can monitor very well 
> > just the servers with some kind of HIDS like Ossec and I am done no? why should I care about the NIDS when I have a 
> > well configured HIDS on every server?
> >
> > thanks
> >
> > Juan
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> > concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> > Gain a laser like insight into what is covered on the exam, with zero fluff!
> >
> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> Gain a laser like insight into what is covered on the exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------



-- 
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. — White House Cybersecurity
Advisor, Richard Clarke

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------