Re: NIDS and HIDS

[Jason Haar <Jason.Haar () trimble co nz>]

Karel Chwistek wrote:

> > For HIDS's, there appears to be three main categories:  monitoring the
> > host's file system, the host's network connections, and the host's log
> > files.
> > --Host's file system:  I'm looking at Tripwire Manager, Tripwire for
> > Servers, and Tripwire for Network Devices.
> >
> >    

Slightly OT - but are the days of filesystem monitoring over? I mean, 
systems must move towards automated updates (e.g. Windows Update, YUM) - 
which means that "the system" can and will change OS files at will. A 
filesystem integrity checking solution will go off nearly daily in such 
an environment.

Or am I just out of touch, and the commercial ones take that into 
account somehow (it would be easy enough on RPM-based Linux systems - 
they could interrogate the RPM database to see if something was recently 
upgraded. Hmmm - but how could they tell it wasn't done by a hacker?)

I know this list is full of people who do InfoSec for a living - but the 
cold reality is that 99.9% of business isn't represented here - they 
need security solutions that work and don't require a lot of interaction 
(I am forever hearing from people about their failed NIDS rollouts 
because they didn't appreciate the amount of personnel time and effort 
was required to maintain it). HIDS - like NIDS - need lots of 
interaction (how many of our Mums can run ZoneAlarm comprehensively?)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------