Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:


HIDS

► Installed on a host computer such as a workstation or server

► It is used primarily to monitor traffic going through the NIC of the host

► Can consume resources of the workstation

► Can monitor network traffic sent to the host or coming from the host only

► Data stored locally (on the host)

NIDS

► Installed on network devices (such as firewalls, routers or switches)

► These devices are referred to as sensors or tabs

► Data centrally managed - sensors report back to a central console

► Cannot monitor encrypted traffic on individual hosts

Both types can use either signature-based detection or anomaly-based detection.

Signature-based

The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)

Anomaly-based

A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts. Also, both types can have either a passive or active response.

Passive Response

Alerts are logged and personnel are typically notified.

Active Response

An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.

No comments:

Post a Comment

Pages