An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:
HIDS
► Installed on a host computer such as a workstation or server
► It is used primarily to monitor traffic going through the NIC of the host
► Can consume resources of the workstation
► Can monitor network traffic sent to the host or coming from the host only
► Data stored locally (on the host)
NIDS
► Installed on network devices (such as firewalls, routers or switches)
► These devices are referred to as sensors or tabs
► Data centrally managed - sensors report back to a central console
► Cannot monitor encrypted traffic on individual hosts
Both types can use either signature-based detection or anomaly-based detection.
Signature-based
The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)
Anomaly-based
A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts. Also, both types can have either a passive or active response.
Passive Response
Alerts are logged and personnel are typically notified.
Active Response
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.
Friday, December 18, 2009
Intrusion Detection System (IDS)
About Kanav Gupta
Soratemplates is a blogger resources site is a provider of high quality blogger template with premium looking layout and robust design
ISSC Wiki
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment