Can we interchangeably deploy a HIDS or HIPS instead of a NIDS/NIPS, what would be the risks, for example you have Symanetec EPS modules with HIPS policies enabled how are they different from a traditional NIPS or HIPS?
2 Answers
No, you cannot interchangeably deploy HI?S versus NI?S. They attack different subsets of the same problem.
Most simply N* is limited to network inputs, whereas H* has access to a far richer set of inputs (files! processes! network listeners!) to be judgmental about (and has less network visibility, so usually doesn't have the rich network parsing and signature set that a N* does).
See also Can Snort be configured as HIDS?.
That said, if your concern is satisfying an auditor or security requirements that say HIDS/NIDS, then either will do - such requirements are often written solely with the goal of making sure you're taking extra steps to secure yourself, not with the goal of dictating one technology or another.
Host intrusion detection is cooperative enforcement. Network intrusion detection will catch uncooperative hosts (ie: Linux machines that aren't installing your stuff), though highly uncooperative hosts will encrypt their traffic as well.
- 639
- 3
- 9