Tip

Choosing an intrusion detection system: Network, host or application-based IDS

The following is the second tip in a two-part series on intrusion detection system (IDS) techniques. Part one provided an overview of IDS product features, signature databases and heuristics. Part two below spotlights three types of IDS tools, and the pros and cons of using each.


Network-based IDS

A network-based intrusion detection system (IDS) plugs directly into your network and monitors activity. Such a system places very little overhead on the network because it only watches your network traffic and sends alerts if it detects anything abnormal, generally speaking. (Different makes and models offer different features.) These systems are primarily passive devices that are virtually undetectable by hackers – but they are not perfect.

Network-based IDS devices can not analyze encrypted traffic and they have trouble monitoring high speed or high-volume traffic. When the traffic volume or velocity exceeds the IDS' capabilities, the solution will start ignoring packets. So if a hacker launches an attack during a period of peak activity on the network, there is a good chance the attack will go unnoticed. Also, network-based IDS devices can report a potential attack in progress, but they have no way of telling you if such an attack is successful.

Host-based IDS

The second type of IDS is host based. A host-based IDS monitors individual hosts on your network for malicious activity. These systems tend to be more accurate than network-based IDS because they analyze the server's log files, not just network traffic patterns. However, they will only monitor activity for the hosts running the IDS software. Typically, this software consists of an agent that reports IDS related information to a central server with a viewing console.

The problem with host-based systems is that they tend to be expensive and resource intensive. The expense comes from having to purchase a license for every host you are monitoring. The performance impact comes from having to run the IDS software on your production servers. This software consumes CPU cycles, memory, disk space and network bandwidth.

Application-based IDS

An application-based IDS is like a host-based IDS designed to monitor a specific application (similar to antivirus software designed specifically to monitor your mail server). An application-based IDS is extremely accurate in detecting malicious activity for the applications it protects. However, this type of specialized IDS may fail to detect attacks not specifically targeted at that application. Hackers have also been known to shut down application-based IDS systems.

As you can see, there are several IDS systems to consider. The best way to secure your network is to use a variety of IDS systems in strategic locations.

Return to part one for an overview of basic IDS solution features: Signature databases and heuristics.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.


More information from SearchWindowsSecurity.com

  • Article: Are identities safer on laptops than central databases?
  • Tip: Network perimeter defenses for smaller shops
  • Learning Guide: Authentication


  • This was first published in April 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.