Re: A good question about NIDS & HIDS or why NIDS ant not just HIDS?

[lonervamp () gmail com]

Excellent question! My answer will be: you should strive to get both HIDS and NIDS.

1. I think I personally have learned just as much or more about my environment from my NIDS than I have from all the 
HIDS. Just saying, it's a valuable informative detection tool.

2. The target of many hackers is the data, not the server. And the data can be snatched or rerouted on the network 
without any hosts knowing it.

3. The previous response of a layered approach is correct. If you have a HIDS on your web server, will it know to 
detect and alert on an application attack? Will a HIDS on one system know when a rogue peer is conducting a recon scan 
across your network even though it is just hitting 2 ports per host? Or your SQL server is responding to a SQL heads-up 
to someone it shouldn't be? Basically, what one product may miss, another one may catch. The reverse holds true, a HIDS 
can detect things a NIDS cannot, especially involving context of traffic.

4. Your HIDS is out the window once you lose one target to an attacker. Just like traditional viruses disabling AV 
products right away, so too can something you or a user accidentally runs get past the HIDS. And once down, then what? 
All of your other HIDS-protected boxes will never be able to detect your now-owned box as being bad news. However,  
your NIDS may detect that box being pivoted across...   The chances of your NIDS being attacked directly are slim, imo. 
(Evasion is another story...)

5. Will you be running HIDS on your network devices? What if someone passes a telnet challenge/response to your router?

6. I've not been impressed with the mess of false alerts and futility of monitoring HIDS across user machines with an 
infinite number of things users do that cause exceptions or false positives. At least with NIDS I tend to feel like I 
have a managable scope. A minor nitpick since they both throw positives and give information.


You have a great question, by the way and there is no easy answer other than: both offer you value. I would personally 
never approach it with the goal of dismissing one in favor of the other.





<original post>

HI,

I am thinking that if the target of a hacker is always the server so why I need the NIDS ? I can monitor very well just 
the servers with some kind of HIDS like Ossec and I am done no? why should I care about the NIDS when I have a well 
configured HIDS on every server?

thanks

Juan



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------