In two words? Not much. While there are a number of evolving HIDS (host-based IDS) efforts that promise to enable more advanced features, such as process monitoring, the products we looked at are just performing the basic tasks of log parsing and file monitoring. However, despite their simplicity, this functionality should not be scoffed at -- many organizations don't even have these essentials covered. Organizations that have been trying to get their unified logging efforts off the ground may find that a HIDS deployment is just what they need because consolidated logs are one of the byproducts.

The modern-day HIDS model is pretty simple: Deploy agents on a set of machines and instruct them to alert to a central console. The challenges are deploying on a wide scale and finding products that support all of your critical platforms. Many organizations have begun going the route of targeted HIDS deployments, placing agents on critical servers or those exposed to higher-risk, Internet-facing Web servers, for example. By using a combined NIDS/HIDS approach, administrators can keep a sharper eye on a select number of servers while still maintaining the flexibility and range that the NIDS devices can offer.

Of the HIDS products we tested, we found Internet Security Systems' RealSecure and CyberSafe Corp.'s Centrax the easiest to deploy and use. Both easily tie back into their respective management frameworks, and both give administrators a simple way to watch for OS-driven security events, like failed logins. Centrax also provides administrators with a centralized point to deploy NT system policies, a feature that comes in quite handy in large organizations. In many ways, Centrax is as useful as an administration aid as it is as a HIDS.

ISS is doing something interesting with its new Server Sensor product: It has combined some of the technology from its NIDS offering with the functionality of the basic HIDS agent. The result is a hybrid approach that can detect both network-based events, like probes and floods, while still performing the more common HIDS-based functions.

As for the other HIDS offerings we tested, Symantec Corp.'s Intruder Alert (formerly Axent Technologies' Intruder Alert; Axent was acquired by Symantec in December 2000) still covers the widest range of platforms, but we continue to find the interface difficult to use and far from intuitive. Enterasys Networks' Dragon is still quite young and lacks a Windows offering, but Enterasys is branching out and starting to parse things like firewall logs, so the company's solution is one you may wish to keep an eye on.

We were disappointed, however, that most vendors aren't parsing Web logs for attack patterns. Given, this is less of an issue for internal machines buried deep in the enterprise, but Internet-facing machines are often compromised through the only port open to the outside world: Port 80. While a select few of the Microsoft IIS-based attacks won't leave traces in the logs, most will. Web/CGI exploitation is one of the fastest growing attack trends on the Internet today. While the NIDS products are attempting to address this issue, HIDS products are falling way behind.

Ideally, we'd love to see the HIDS space move to a component model, which would allow organizations to choose the best HIDS agent for their environments and snap them into a unified IDS framework of some sort. Unfortunately, the standards needed to do this are still a ways off, and even if they were here, we're not sure how fast vendors would adopt them. Smart vendors from the HIDS world should form partnerships with NIDS vendors and initiate correlation products. CyberSafe, ISS and Symantec understood the power of bringing the two spaces together, integrating their products into a unified console model early on. However, many organizations are still choosing IDS solutions based on targeted sets of specific needs. While some will choose a partner to provide both HIDS and NIDS solutions, many organizations are still choosing either NIDS or HIDS, depending on their needs and environment. Whichever route you choose, make sure you know what you're getting into. Both have their strengths and their weaknesses.