HIDS/NIDS (host intrusion detection systems and network intrusion detection systems)

Host intrusion detection systems (HIDS) and network intrusion detection systems (NIDS) are methods of security management for computers and networks. In HIDS, anti-threat applications such as firewalls, antivirus software and spyware-detection programs are installed on every network computer that has two-way access to the outside environment such as the Internet. In NIDS, anti-threat software is installed only at specific points such as servers that interface between the outside environment and the network segment to be protected.
All methods of intrusion detection (ID) involve the gathering and analysis of information from various areas within a computer or network to identify possible threats posed by hackers and crackers inside or outside the organization. Host-based and network-based ID systems have their respective advantages and limitations. The most effective protection for a proprietary network is provided by a combination of both technologies.

What is a Host Intrusion Detection System?

System?

General

Host based intrusion detection (HIDS) refers to intrusion detection that takes place on a single host system. Currently, HIDS involves installing an agent on the local host that monitors and reports on the system configuration and application activity. Some common abilities of HIDS systems include log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. They often also have the ability to baseline a host system to detect variations in system configuration. In specific vendor implementations these HIDS agents also allow connectivity to other security systems. For example, Cisco CSA has the ability to send host data upstream to Cisco network IPS devices, Checkpoint Integrity can be integrated with Checkpoint Secure Client (Client VPN), and IBM Proventia Desktop is Cisco NAC certified.

HIDS Intrusion Prevention

Most HIDS packages now have the ability to actively prevent malicious or anomalous activity on the host system. Due to the potential impact this can have on the end user, HIDS is frequently deployed in "monitor only" mode initially. This enables the administrator to create a baseline of the system configuration and activity. Active blocking of applications, system changes, and network activity is limited to only the most egregious activities. Administrators can then tune the system policy based on what is considered "normal activity".

Architecture General

Architecture Host Policy

To be effective in an environment with more than a few hosts, HIDS is generally deployed to be managed from a central location. On the management system a policy is configured for deployment to local agents. There can be a single policy for all computers, but more than likely there will be multiple policies for particular operating systems, machine types, physical locations, and user types. As an example, a policy may be specific for all Windows DNS servers, all Windows desktops in a remote office, or all Linux systems in an enterprise. These policies have configuration values unique to the local system requirements. On a Windows host it is common to monitor registry changes, access and changes to .dll files, and application activity. On a DNS server the policy may look to verify the integrity and report on changes to the DNS server configuration files.
Once a policy is configured, it is then applied and distributed to a group of hosts with the agent installed. Some benefits of this central management architecture are the ability to apply changes to many systems at once and create a "baseline" for known system types. Central authentication, alerting, and reporting are also benefits of the central management architecture.

How HIDS works

The HIDS agent monitors system integrity, application activity, file changes, host network traffic, and system logs. Using common hashing tools, file timestamps, system logs, and monitoring system calls and the local network interface gives the agent insight to the current state of the local host. If an unauthorized change or activity is detected, it will alert the user via a pop-up, alert the central management server, block the activity, or a combination of the three. The decision is based on the policy that is installed on the local system.

Software

There are many types of HIDS software available. Below is a list of some of the most common:

Free:

OSSEC - Open Source Host-based Intrusion Detection System

Tripwire

AIDE - Advanced Intrusion Detection Environment

Prelude Hybrid IDS

Not Free:

IBM Proventia Desktop

Cisco CSA

Checkpoint Integrity

Tripwire Enterprise

Symantec Endpoint Protection

McAfee Host Intrusion Prevention

          Matthew Berge
          Ernst & Young