This is a very legitimate point. NIDS systems generally have a limited
purview of the network they're observing. And, as Mr Ptacek and Mr.
Newsham pointed out, additional information is needed to resolve the
ambiguities NIDS systems face. While there isn't necessarily any
standard way of gathering host-based information as of yet, there is
certainly a plethura of information available on and end host!

Consider an end host can offer up (through an agent or what not)
CPU/memory utilization statistics such that it could be determined
whether or not an attack observed by a NIDS system would ever have been
accepted by the target system based upon whether or not it was starved
of CPU/memory. It would be nice if this could be expanded to include
network utilization at an end host, but don't hold your breath. A
highly simplified agent running on and end host could provide
information to a centralized IDS repository information describing it's
IP stack and even the number of hops the host is away from the IDS (TTL
based insertion attacks anyone?)

Maybe we shouldn't keep trying to deploy HIDS systems as a single
product solution. First off, the quality of product I see from many
vendors is well... questionable (I won't go off on an OpenBSD slanted
quality of code tangent here... and I'm not targeting security product
vendors) and lets consider that very few vendors actually target enough
platforms to make their be-all end-all products a truly valuable
solution on even the *most* critical hosts in a large enterprise. I've
seen people mention Tripwire, hell that's a grand idea, but that's just
one component of HIDS. I'm sure all the folks on this list who are a
lot brighter than I am can think of many other technologies they can
deploy on an end host to significantly improve it's HID abilities (think
secure OS build + local firewall + tripwire + lots of logging + foo +
bar + bas). And, you're right, it is a royal PITA to install all this
on every critical system as well as maintain it, but if the tradeoff is
some security is better than none, I'll take some.

As we continue to talk about the accuracy of signature systems versus
anomaly based systems I'd like to point out that they both suffer from a
limited purview of the network. Neither approach, as of yet, is
guranteed to defragment, reassemble TCP streams, handle IP options
within fragments, handle fragment overlaps, handle fragment timeouts,
etc... in exactly the same manner as the end host.

So, if we want to start talking about accuracy of HIDS/NIDS systems, we
should really keep in mind that some of the most fundamental problems
should be attacked first. Such that by the time we get up into dealing
with applications, we're that much closer to being able to accurately
represent what's going on at an end host and not leaving our deployed ID
systems open to insertion and evasion attacks.

-Jeff

Devdas Bhagat wrote:
>
>
> I would say that the biggest limitatoions of HIDS have been that they
> have to run on each machine being monitored
> This uses up precious resources on heavily loaded machines and that the
> admin has a whole lot more to check (multiple points to monitor instead
> of one)
>
> My POV is that neither NIDS or HIDS alone will suffice. You will need
> to run both to handle the entire range of threats.
>
> Devdas Bhagat
> --
> Basic is a high level languish. APL is a high level anguish.

--
http://jeff.wwti.com	 	(pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]