Problem solve Get help with specific problems with your technologies, process and projects.

Choosing an intrusion detection system: Network, host or application-based IDS

Different types of intrusion detection tools do different jobs. This tip offers help comparing three different types of IDS devices: network, host and application-based IDS.

The following is the second tip in a two-part series on intrusion detection system (IDS) techniques. Part one provided an overview of IDS product features, signature databases and heuristics. Part two below spotlights three types of IDS tools, and the pros and cons of using each.

Network-based IDS

A network-based intrusion detection system (IDS) plugs directly into your network and monitors activity. Such a system places very little overhead on the network because it only watches your network traffic and sends alerts if it detects anything abnormal, generally speaking. (Different makes and models offer different features.) These systems are primarily passive devices that are virtually undetectable by hackers – but they are not perfect.

Network-based IDS devices can not analyze encrypted traffic and they have trouble monitoring high speed or high-volume traffic. When the traffic volume or velocity exceeds the IDS' capabilities, the solution will start ignoring packets. So if a hacker launches an attack during a period of peak activity on the network, there is a good chance the attack will go unnoticed. Also, network-based IDS devices can report a potential attack in progress, but they have no way of telling you if such an attack is successful.

Host-based IDS

The second type of IDS is host based. A host-based IDS monitors individual hosts on your network for malicious activity. These systems tend to be more accurate than network-based IDS because they analyze the server's log files, not just network traffic patterns. However, they will only monitor activity for the hosts running the IDS software. Typically, this software consists of an agent that reports IDS related information to a central server with a viewing console.

The problem with host-based systems is that they tend to be expensive and resource intensive. The expense comes from having to purchase a license for every host you are monitoring. The performance impact comes from having to run the IDS software on your production servers. This software consumes CPU cycles, memory, disk space and network bandwidth.

Application-based IDS

An application-based IDS is like a host-based IDS designed to monitor a specific application (similar to antivirus software designed specifically to monitor your mail server). An application-based IDS is extremely accurate in detecting malicious activity for the applications it protects. However, this type of specialized IDS may fail to detect attacks not specifically targeted at that application. Hackers have also been known to shut down application-based IDS systems.

As you can see, there are several IDS systems to consider. The best way to secure your network is to use a variety of IDS systems in strategic locations.

Return to part one for an overview of basic IDS solution features: Signature databases and heuristics.

About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Next Steps

Article: Are identities safer on laptops than central databases?

Tip: Network perimeter defenses for smaller shops

Learning Guide: Authentication

Dig Deeper on Enterprise desktop management