0

I have problem with some institute server. The scenario is like below.

There is an institute (Government/Corporate/Industry) that have their own dedicated server. But there is no other security services or firewall that were implemented on these servers other than a basic server security which came from the developer of those server. I, as one of many admin data center for this ( I am currently like a Junior Admin data center, a newbie) institute tried many things to make a security system to prevent some malicious attack, hacker attack that tried to steal Institute data or tried hijacking our server.

Rather than looking for NIDS which is "secure" our network traffic and such, I found an application called "OSSEC", an Open Source HIDS application. You could find more information about this apps in here. I used OSSEC to collect and analyze, however to visualize the logs, I used ELK. Before I install the apps onto servers, I found an app called, WAZUH , which is integrated OSSEC with ELK, so rather than installing OSSEC and ELK in seperate ways, I used Wazuh App for given that apps installed in one go. I tried to install that in my server, install many agents, and do many configuration like in wazuh documentation. It works great like it can prevent like bruteforce attack, any authentication failures, rootkit detection, confirm some malicious files/conf and such. I though at that time, this is the "greatest" security app i ever seen.

A months later, there is a new machine called Cisco ASA 5516-X that came to our Institute. I never heard of this machine before, but they said this machine is a "superior" among other security machine, as you can see at the price on Amazon. Short story, they implemented this machine to the servers. And they tried to deactivate or maybe shutdown the services of the Wazuh App. I disagree with to the other admin, i said, it's better to keep the wazuh app running, in our own servers, but they said, "We dont need any other security since we have this machine, it secure the network traffic, and many things, so we should turn off and shut down any services app like wazuh app or other thing". Does what they said is true, are we safe from any harm situation if we already used the "NIDS" rather than used HIDS ?

schroeder
  • 123,438
  • 55
  • 284
  • 319
gagantous
  • 193
  • 12

2 Answers2

3

They serve different purposes. While a NIDS covers your servers in term of network level traffic it may not be sufficient on its own. For instance any SSL encrypted connection will not be transparent to the NIDS, which means that whatever is sent across to your servers, it won't be able to see it.

Additionally, a HIDS is also a lot more valuable than a NIDS in case of incident response. a NIDS does not report on changed files on a server as it doesn't have access. OSSEC does and it's useful to see what was modified if an attacker manages to breach your server.

They are complimentary and not exclusive. Also stating that something is far "superior" purely based on price is rather ignorant.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
1

Wazuh has now rules for Suricata integration, meaning that you can combine best of both worlds in a single solution. NIDS and HIDS greatly complement each other.

You can run a Wazuh agent on your Suricata sensor and configure it to collect Suricata output. Configuration would look something like this:

<localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile>

This will allow you to use other HIDS features like "Active Responses" with Suricata alerts. Other examples could be integration with Threat Intelligence sources like AlienVault OTX (also supported by Wazuh).

Santiago Bassett
  • 66
  • 2