Network-based IDS can be hardware appliances dedicated to their tasks or software
applications installed on a computer system. In either case, the network interface card works in promiscuous mode and collects and monitors network traffic
looking for malicious activity. There are sensors placed in the network segments
that are to be monitored, and they are all connected to a central management
console. The IDS software analyzes protocols and relevant packet information
to uncover misdeeds.
Host-based IDS, on the other hand, are applications installed on individual
computers with the goal of monitoring activities taking place on specific systems
instead of monitoring network traffic. Host-based IDS have a more myopic
view and can be used to ensure that critical system files are not modified in
an unauthorized manner, scrutinize event logs, monitor use of system resources,
and possibly detect ping sweeps and port scans that are taking place on
those individual systems.
Host-based IDS can take a lot of maintenance if they are installed on each
and every systemwithin a network. In most environments, only the critical servers
have host-based IDS installed because thewhole network could be negatively affected
if one or more were compromised.
The goal of both the network and host-based IDS is to detect ongoing attacks
or potentially dangerous activities and alert the network staff so that they can
properly react and mitigate damages. Depending on the product and its configuration,
the IDS can page or e-mail the network administrator or engineer to
alert her of a specific type of activity. The IDS may also attempt to reset the connection
of an ongoing attack and even reconfigure a router or firewall to cut off
traffic from the identified source of the attack.
Network and host-based systems will be either a signature or behavior-based
product, which are described in the following section.
No comments:
Post a Comment