NIDS (network intrusion detection system)

Using NIDS presents a major issue on a switched network if port spanning is not enabled. By design a switch
functions on a high speed direct access principle only transmitting packets directly to the intended recipient of the
packet and not the entire network like the legacy hub based networks. Some security networks function in such a
way that port spanning can not be enabled and in this scenario it is recommended that sensors, taps or monitors
be installed on the segment that spanning tree can not be enabled on. This is where an HIDS will triumph over a
NIDS as a NIDS is network based and a HIDS is host based. If the network is not very high profile then you can
enable port spanning and this will replicate all traffic that is transmitted on that switch to the port that has the
spanning enabled. Note enabling port spanning is not available on all switching equipment and the wording
varies from manufacturer to manufacturer. Enabling port spanning can also pose a risk if the spanned port is
accessible to intruders. Something small like port spanning, can easily be just what an intruder needs to acquire
network information needed to gain access to your corporate network.
An NIDS should best be describes as a standalone appliances that has network intrusion detection
capabilities. A NDIS can also be a software package that you install on dedicated workstation that is connected
to your network or a device that has the software embedded and is also connected to your network. The NIDS
then scans any traffic that is transmitted over that segment of your network; the NIDS functions in very much the
same way as high-end antivirus applications and it makes use of signature or pattern file method comparing each
transmitted packet for patterns that may occur within the signature file. The IDS functions in a very conform way
in order to increase packet throughput as inspecting every packet can slow traffic considerably. An IDS then uses
the firewall approach when inspecting the packet by letting through the packets that are not potentially dangerous.
This processing is done by the IDSs preprocessing filters that arranges that data that is scanned.
NIDS(Network Instrusion Detection System) memantau traffic di jaringan mencari aktivitas mencurigakan yang
berpotensi serangan.NIDS dapat berperan sebagai backbone network atau untuk memantau
server,switch,gateway, router tertentu. NIDS dapat melakukan scan terhadap sistem dan mendeteksi perubahan
pada komponen inti server. Namun NIDS bukan untuk menggantikan firewalls, encryption atau metode-metode
ototentikasi lainnya, NIDS hanya berperan sebagai backup.
Network Intrusion Detection System
A "network intrusion detection system (NIDS)" monitors traffic on a network looking
for suspicious activity, which could be an attack or unauthorized activity.
A large NIDS server can be set up on a backbone network, to monitor all traffic; or
smaller systems can be set up to monitor traffic for a particular server, switch,
gateway, or router.
In addition to monitoring incoming and outgoing network traffic, a NIDS server can
also scan system files looking for unauthorized activity and to maintain data and file
integrity. The NIDS server can also detect changes in the server core components.
In addition to traffic monitoring, a NIDS server can also scan server log files and
look for suspicious traffic or usage patterns that match a typical network
compromise or a remote hacking attempt.
The NIDS server can also server a proactive role instead of a protective or reactive
function. Possible uses include scanning local firewalls or network servers for
potential exploits, or for scanning live traffic to see what is actually going on.
Keep in mind that a NIDS server does not replace primary security such as firewalls,
encryption, and other authentication methods. The NIDS server is a backup network
integrity device. Neither system (primary or security and NIDS server) should
replace common precaution (building physical security, corporate security policy,
etc.)
http://www.real-time.com/linuxsolutions/nids.html
HIDS (Host intrusion detection system)
Host intrusion detection systems are installed locally on host machines making it a very versatile system
compared to NIDS. HIDS can be installed on many different types of machines namely servers, workstations and
notebook computers. Doing so gives you the edge that NIDS does not have especially if you have a segment
that you NDIS can not reach beyond. Traffic transmitted to the host is analyzed and passed onto the host if there
are not potentially malicious packets within the data transmission. HIDS are more focused on the local machines
changing aspect compared to the NIDS. NIDS focus more greatly on the network those specific hosts
themselves. HIDS is also more platform specific and caters strongly in the windows market of the computing
world however there are products available that function in the UNIX and other OS topology environments.
HIDS (Host Intrusion Detection System) tidak seperti NIDS yang tedapat di server, HIDS bisa diinstal di host
seperti server,workstation dan personal computer yang menyebabkan sistem ini sangat rapuh. Fungsinya sama
saja dengan NIDS memantau aktivitas mencurigakan yang berpotensi serangan yang membedakan hanya NIDS
memantau network, HIDS memantau sistem komputer.
A host-based intrusion detection system (HIDS) is a system that monitors a computer system on
which it is installed to detect an intrusion and/or misuse, and responds by logging the activity and
notifying the designated authority. A HIDS can be thought of as an agent that monitors and
analyzes whether anything or anyone, whether internal or external, has circumvented the
systems security policy.
http://www.techopedia.com/definition/12826/host-based-intrusion-detection-system-hids
Comparative analysis of HIDS vs. NIDS
Function HIDS NIDS Comments
Protection on LAN **** **** Both systems protect you on your LAN
Protection off LAN **** - Only HIDS protects you when you are
off the LAN
Ease of Administration **** **** The admin of NIDS and HIDS is equal
from a central admin perspective.
Versatility **** ** HIDS are more versatile systems.
Price *** * HIDS are more affordable systems if
the right product is chosen.
Ease of Implementation **** **** Both NIDS and HIDS are equal form a
central control perspective
Little Training required **** ** HIDS requires less training than NIDS
Total cost of ownership *** ** HIDS cost you less to own in the long
run
Bandwidth requirements on
(LAN)
0 2 NIDS uses up LAN bandwidth. HIDS
does not.
Network overhead 1 2 The NIDS has double the total network
bandwidth requirements from any LAN
Bandwidth requirements
(internet)
** ** Both IDS need internet bandwidth to
keep the pattern files current
Spanning port switching
requirements
- **** NIDS requires that port spanning be
enabled to ensure that your LAN
traffic is scanned.
Update frequency to clients **** - HIDS updates all of the clients with a
central pattern file.
Cross platform
compatibility
** **** NIDS are more adaptable to cross
platform environments.
Local machine registry
scans
**** - Only HIDS can do these types of
scans.
Logging *** *** Both systems have logging
functionality
Alarm functions *** *** Both systems alarm the individual and
the administrator.
PAN scan **** - Only HIDS scan you personal area
networks. (unless you have the $ to
get a NIDS for your home)
Packet rejection - **** Only NIDS functions in this mode.
Specialist knowledge *** **** More knowledge is required when
installing and understanding how to
use NIDS from a network security
perspective.
Central management ** *** NIDS are more centrally managed.
Disable risk factor * **** NIDS failure rate is much higher than
HIDS failure rate. NIDS has one point
of failure.
Upgrade potential *** *** It is easier to upgrade software than
hardware. HIDS can be upgraded
through a centralized script. NIDS is
typically flashed onto the flash
memory and has low overhead.
Multiple LAN detection
nodes
**** ** HIDS is a more comprehensive
multiple segment detection IDS than
NIDS

Peek & Spy
Software ini membantu privileged user melihat apa yang dilakukan oleh user lain dan
memungkinkannya untuk mengambil kontrol terhadap user tersebut.Software ini membantu system
manager untuk tidak perlu datang ke user jika terjadi masalah, melalui software ini system manager
dapat memperbaiki masalah tersebut langsung ke komputer user. Software ini juga mengijinkan
system manager melakukan lock out terhadap user yang tidak teridentifikasi.
http://networkingdynamics.com/peek-spy/peekspy/
Snort
Snort dapat melakukan analisis protokol dan content searching/matching. Hal tersebut dapat
digunakan untuk mendeteksi berbagai macam serangan dan probes ?.Snort memiliki
sistem pemberitahuan yang real-time.
Snort can perform protocol analysis and content searching/matching. It can be used to
detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI
attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules
language to describe traffic that it should collect or pass, as well as a detection engine
that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as
well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket,
or WinPopup messages to Windows clients. Snort has three primary uses: a straight
packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or
a full-blown network intrusion prevention system.
http://www.snort.org/snort