What types of IDS are available?
|
Intruder alert:
Intrusion Detection Systems 1. IDS types 2. Intruders, responses and how well do they work? 3. IDS vs IPS 4. Where to deploy? About RMIT Test Labs |
Network-based IDSes. Most of the IDSes on the market are based around Network IDSes (NIDS). NIDS work by capturing data from one or more points central to the network and reporting back to a management console. The capture systems must be placed in the network such that they can see all passing traffic. In a fully switched network, there may be difficulties in capturing data unless you can configure your switches to pass a copy of all the traffic to a specific port for the IDS.
Pros:
- You can listen to a fairly large network with just a few machines.
- The system is transparent as the unit collects traffic information.
- All traffic between the console and the NIDS collector can be encrypted or on a separate network for complete security.
Cons:
- There may be a lot of traffic passing the system, possibly more than the system can process. This will cause difficulties in detecting intruders when loads are high.
- The need to process packets quickly may mean that you have to turn off some of the features to keep up with traffic volumes.
- Fully switched networks can be difficult to capture as traffic is not replicated across all ports like it is in a non-switched network.
- Unable to analyse encrypted traffic.
Host-based IDSes.
The Host based IDS (HIDS) look at what is happening on the computer it is installed on. This allows the IDS to look very specifically at what is happening on that machine via the log files and/or the internal auditing systems. There are two main types of HIDS: host wrappers/personal firewalls and agent-based software.
Host wrappers or personal firewalls are configured to look at all network packets, attempted connections, or attempted logins to the monitored machine. Host-based agents are designed to monitor accesses and changes to critical system files and changes in user privilege.
Ideally your HIDS will simplify the administration of a set of hosts by having the administration functions and attack logs all report to a central IT security console.
Pros:
- Able to detect a large range of local attacks.
- Encryption is generally not in the way if the data is decrypted at the server.
- No problem with switched networks.
Cons:
- Each host often must be installed and maintained separately.
- Because the IDS is on the host, the IDS may be attacked and disabled first.
- May not see a widely dispersed network scan.
- May get swamped in a Denial of Service Attack (DoS).
- Consumes processing power and network resources of the server it’s protecting.
10%
8%
You have miss-spelled organisation, authorised, unauthorised, analysing, & analyse which should be organization, authorized, unauthorized, analyzing, & analyze. Just thought you should know, doesn't look very good or very professional.