HostedDB - Dedicated UNIX Servers

nvh_ids_9 October 2, 1998 Page 9 The Need for Both Network- and Host-Based Intrusion Detection Both network- and host-based IDS solutions have unique strengths and benefits that complement each other. A next-generation IDS, therefore, must include tightly integrated host and network components. Combining these two technologies will greatly improve network resistance to attacks and misuse, enhance the enforcement of security policy and introduce greater flexibility in deployment options. The graphic below illustrates how network- and host-based intrusion detection techniques interact to create a more powerful network defense. Some events are detectable by network means only. Others that are detectable only at the host. Several require both types of intrusion detection to function properly. - SYN Flood attack - Land, Smurf, TearDrop attacks - BackOrifice hacker tool - Win Nuke attack 1) Telnet to a system - Network IDS 2) Intruder SU’s to root - Host IDS 3) Turns off logging - Host IDS 1) Port scan - Network IDS 2) HTTP cgi-bin attack - Network IDS 3) Changes a Web page - Host IDS 1) Port scan - Network IDS 2) Sendmail WIZ attack - Network IDS 3) Root Shell Accessed - Host IDS Intruder Victim - Encrypted network traffic - Overwrite the login executable - Walk up to the keyboard attack ex. Sun openPROM Network-based only Host-based only Network-based and Host-based