Overview of Intrusion Detection and Prevention
Network-based versus host-based

Two basic types of IDSs in the market today are:

  • Host-based IDSs (HIDS)
  • Network-based IDSs (NIDS)

Host-based Intrusion Technology
Host-based intrusion response is typically implemented as inline or passive technology depending on the vendor. The passive technology, which was the first generation technology, is called host-based intrusion detection system (HIDS), which basically sends logs after the attack has occurred and the damage is done. The inline technology, called host-based intrusion prevention system (HIPS), actually stops the attack and prevents damage and propagation of worms and viruses.

Active detection can be set to shut down the network connection or to stop the impacted services automatically. This has the benefit of being able to quickly analyze an event and take corrective action. Cisco provides HIPS using the Cisco Security Agent software.

Current host-based intrusion prevention software requires agent software to be installed on each host, either server or desktop, to monitor activity performed on and against the host. The Agent software performs the intrusion detection analysis, and prevention. The Agent software also sends logs and alerts to a centralized management/policy server.

The advantage of HIPS is that it can monitor operating system processes and protect critical system resources, including files that may exist only on that specific host. This means it can notify network managers when some external process tries to modify a system file in a way that may include a hidden back door program.

Figure illustrates a typical HIPS deployment. Agents are installed on publicly accessible servers and corporate mail and application servers. The Agents report events to a central Console server, such as CiscoWorks VMS, located inside the corporate firewall or can e-mail an administrator.

Vendors of host security include Cisco Systems, Symantec, Internet Security Systems (ISS), and Enterasys.

Network-based Intrusion Technology
Just like host-based intrusion technology, a network intrusion detection system can be based on active or passive detection. Figure illustrates a typical network deployment of intrusion technology. Sensors are deployed at network entry points that protect critical network segments. The network segments have both internal and external corporate resources. Sensors capture and analyze the traffic as it traverses the network. Sensors are typically tuned for intrusion detection analysis. The underlying operating system is stripped of unnecessary network services and essential services are secured. The Sensors report to a central Director server located inside the corporate firewall.


Web Links