This white paper will focus on HIDS and the benefit of a HIDS within a corporate environment. A comparative analysis will also be done representing the industry leaders and will conclude by deriving at a calculated recommendation. This will aid organizations when deciding on a comprehensive HIDS or NIDS solution. An elaborate testing and comparative analysis has been done on 6 industry leaders. For ease of use and for time sake I have summarized the features supported in the table below. This white paper consisted of over 60 pages and was shortened to make the decision process less painful and more swift. More info can be found by following the links below.
What is a HIDS (Host intrusion detection system)?
Host intrusion detection systems are intrusion detection systems that are installed locally on host machines. This makes HIDS a very versatile system compared to NIDS. HIDS can be installed on many different types (roles) of machines namely servers, workstations and notebook computers. This methodology gives an organization the edge where as an NIDS will fail if it has to reach a segment beyond NDIS capability.
Workings of HIDS
When traffic is transmitted to the host is analyzed and passed onto the host if there are not potentially malicious packets within the data transmission. HIDS are more focused on the local machines changing aspect compared to the NIDS. NIDS focus more greatly on the network that specific host themselves. HIDS is also more platform specific and caters strongly in the windows market of the computing world however there are products available that function in the UNIX and other OS topology environments. There are a lot of products out on the market today that perform HIDS but none are as comprehensive as the LAN guard by GFI. I have fond this product to be very complete when it came to IDS and further more it did a full security analysis of the machine.
Choose NIDS or HIDS?
Many security professionals are aware that there is NIDS and HIDS. What is the best one I hear often asked? Well the answer is HIDS for a complete solution and NDIS for a LAN solution complimenting HIDS. Similarly when an installation of antivirus software is done not only is the software installed on your main servers, but it is also installed on all your clients as well. There is no reason why both NIDS and HIDS can not be used in conjunction as a strong IDS complimentary strategy. It is perceived that NIDS are easier to disable from an intruders perspective and I tend to agree with this notion. Rather install multiple detection nodes on your enterprise network using HIDS than have only one NIDS with a few detection nodes only spanning one segment. If you have concerns about specific computers that you fear intruders will attach rather protect them using the HIDS as this will be a more secure decision and will be equivalent to installing an alarm in your safe incase someone came along to your cash at night and got past your primary house alarm system.
IDS supports verbose logging, many events are logged in days, ensure that only pertinent data is collected and that you do not get inundated with unnecessary data. HIDS has more logging than NIDS when taking into account that HIDS logs all machines on the network this is not surprising. If you are looking at HIDS or NIDS ensure that you find a vendor that has good technical backup and that has the pattern files streaming out when there are new vulnerabilities released into the wild much like an antivirus application. If you have LAN bandwidth constraints it is very feasible to look at a HIDS.
The above diagram represents The HIDS scenario.
The table below represents a concise comparison of industry standard specifications and requirements when selecting an IDS package.
Product | INTRUST Event admin Aelita | ELM 3.0TNTsoftware | GFI LANguard S.E.L.M | SnortISS | Cisco Secure IDS | Dragon |
NIDS/HIDS | HIDS | HIDS | HIDS | NIDS | NIDS | NIDS |
Management console | *** | *** | *** | *** | ** | **** |
Attack detection | ** | *** | *** | *** | *** | **** |
Ease of use | *** | *** | **** | ** | ** | *** |
Price for 100 workstations and 5 servers | $9400 | $10,290.00 modular pricing from website | $ 1620 modular pricing from website | FREE Software package | $7,929.79 | $6115.89 |
Ease of installation and deployment | *** | ** | *** | * | ** | *** |
Security knowledge required (more stars means less knowledge required) | *** | **** | **** | * | * | ** |
Attacker delectability | *** | *** | *** | **** | *** | *** |
Secure channel communication | *** | * | ** | — | — | — |
Ease of operational management | ** | *** | *** | ** | *** | **** |
Product frequency updates | ** | ** | * | *** | ** | **** |
SNMP compatibility | *** | **** | ** | ** | *** | *** |
Reporting capability | **** | **** | **** | *** | *** | **** |
Performance | *** | **** | **** | **** | *** | *** |
Infrastructure adaptation | *** | *** | *** | ** | *** | **** |
Windows platform compatibility | *** | *** | *** | *** | *** | *** |
Unix platform compatibility | *** | * | * | **** | *** | *** |
Backup and support | *** | *** | **** | *** | *** | **** |
Log monitoring | *** | **** | **** | *** | ** | ** |
Incident detection | *** | **** | **** | *** | *** | *** |
Event reporting | **** | *** | *** | *** | *** | *** |
Agents This is administrative burden. No agents= more stars | *** | * | **** | **** | **** | **** |
Result | 59 | 57 | 62 | 53 | 61 | 62 |
IDS selection phases.
When selecting an IDS there are a few considerations that need to be taken into account and incorporated into the planning phase of IDS. There are some considerations highlighted below.
- The Concept phase: This phase identifies the IDS Requirements, and defines what is necessary of the business and how IDS can mach the business needs, this phase should reflect the coverage of your critical assets and compliance with your security policy.
- The IDS solution Evaluation phase: This phase should be used when selecting the appropriate product to meet business needs. IT should also be used as the test forum to benchmark IDS software and in conjunction with the concept phase it should be used as the final checkpoint when selecting the matching business solution.
- The deployment and commissioning phase: This phase is used to implement the chosen IDS solution and should be very smooth if the appropriate planning has been done. By this time all of the quirks should be ironed out and no unknown issues should crop up to stall commissioning. The solution should run efficiently and effectively when this phase is complete.
Website and vendor links and Info.
The industry leaders have been tested her so the results are comparatively high compared to other IDS products. Below is a brief description of the product and links to the website. More elaborate information can be found the vendors website.
The industry leaders have been tested her so the results are comparatively high compared to other IDS products. Below is a brief description of the product and links to the website. More elaborate information can be found the vendors website.
1. Intrust
This product has many features that make it a viable solution for an enterprise environment. With its UNIX compatibility it has great flexibility. It ships with a reporting console that has over 1000 customizable reports that help when reporting on intricate issues. It also supports a comprehensive alerting solution that alerts the security officer on mobile devices and many other specifiable technologies.
- Comprehensive alerting features.
Comprehensive reporting features.
Consolidation and audit of performance data from cross platforms.
Rewind network feature support from elaborate client side network logging.
Data filtering for easier reviewing.
Real-time monitoring.
Captured data analysis.
Industry standards compliance.
Rule compliance enforcement.
2. ELM
TNT Software has developed a good piece of software that supports HIDS functionality, the product that the comparative analysis has been based on is known as ELM Enterprise Manager. This product supports real-time monitoring, a comprehensive notification engine, and an elaborate and reporting method. Database redundancy has been implemented to insure that the software’s database is safe. This means that if the ELM main database is offline, ELM Server automatically creates a temp database to store data until the main is back online.
Below is a brief overview on ELM Enterprise Manager 3.0
ELM supports flexible MMC snap-in console interface.
Supports monitoring for all of the Microsoft .NET servers by monitoring traditional performance monitor counters and event logs.
Supports a reporting wizard with editor that can schedule, ASCII or graphic HTML reports.
Centralized viewing of Windows Event Logs on multiple servers.
Web enabled client only on XML- and JavaScript-enabled browser.
A Knowledge Base interface support.
Notification Engine support that can execute wscripts, cscripts, and CMD/BAT files.
SQL and oracle Server data repository support.
WMI compatible queries for comparative purposes.
Corrective action when intrusion detected.
3. GFI LANguard S.E.L.M.
What a comprehensive solution. GFI has done it again, a clever solution for an irritating problem. This product has many features and requires little specialized knowledge to install. It really was smooth sailing. The one thing that I thought could be improved upon was the UNIX support. The multitude of features, Backup support and comprehensive enterprise solution made up for that little quirk.
Below is a brief overview on GFI LANguard S.E.L.M.
- Automatic, network-wide security analysis of event logs.
Network-wide event log management
Enhanced detection of insider hacking
Reduces TOC as specialized knowledge is less required.
No agents or client software required.
No impact on network traffic
Very scalable, suited for small or Enterprise networks.
Confidential file monitor.
Comprehensive log monitoring.
Detects attacks if local user accounts are used. (online or offline)
4. Snort
Snort is a great product and it wins hands down when it comes to UNIX environments. The latest release is aimed at the windows platform but is a little buggy and still needs some refinement. The best thing about this product is the price as it is open source and costs nothing except for the time and bandwidth it takes to download it. This solution has been developed by people that understand security with intricate detail and it performs very well on very inexpensive hardware making it a viable product for any organization.
Below is a brief overview on SNORT
Support for high performance configuration built into the software.
Strong UNIX support.
Flexible open source support.
Strong SNMP support.
Centrally managed modular plug-in support.
Intrusion detection and alerting support
Packet logging and built in leading sniffer.
Comprehensive attack detection.
Elaborate output modules providing comprehensive logging abilities.
User support on mailing lists and through email interaction.
5. Cisco IDS
This solution is very hardware and Cisco driven, giving it a quality look and feel and keeping in the well renowned Cisco tradition a good product is made.
Below is a brief overview on Cisco’s IDS device
Enterprise misuse detection features that are accurate allowing for fewer false alarms.
Enterprise scalability like with all Cisco products.
Real-time, intrusion detection system, reporting and terminating unauthorized activity.
Strong pattern analysis detecting any level of misuse.
Good network performance, with solid uptime stats.
Dynamic router access list management adapting to the intruders habits.
Central GUI management.
Remote management.
- E-mail event notification enabled.
6. Dragon
What a comprehensive solution for the enterprise. This product is very customizable, uniquely meeting specific security requirements in the enterprise environment. This product is very modular supporting NIDS, server management, and event management, attack monitoring and scalable architecture mapping. This is a very complete IDS solution with extremely well designed software and well integrated monitoring. The one quirk is the price.
Below is a brief overview on Dragon (the enterprise version).
Dragon supports both NIDS and HIDS solution.
Cross platform support for Windows, Linux, Solaris and AIX
Modular and extensible.
Centralized management monitoring.
Comprehensive analysis and reporting.
Highly scalable customizable to enterprise specifications.
Effective security monitoring, integrating with switches, firewalls and routers.
Executive reporting compilation.
Excellent signature updates frequency and granular detection.
Summary
When concluding this exercise it became apparent that there were two main contenders in the industry one being the Dragon NIDS by Enterasys and the other, LANguard S.E.L.M by GFI Software. These products both excelled in the market place with good all round capabilities and had excellent online support. When looking for evaluation software there were no issues with obtaining a specimen to test and there was a good integration with the existing windows network infrastructure. It became clear why these products have made it as the industry leaders. The other products however are not too far behind but lack the edge that the top two have. They may catch up in the future to where the top two now are by that time I am sure the top two would of moved even higher setting the pace at an even higher standard.
