Two basic types of IDSs in the market today are:
- Host-based IDSs (HIDS)
- Network-based IDSs (NIDS)
Host-based Intrusion Technology
Host-based intrusion
response is typically implemented as inline or passive technology depending on
the vendor. The passive technology, which was the first generation technology,
is called host-based intrusion detection system (HIDS), which basically sends
logs after the attack has occurred and the damage is done. The inline
technology, called host-based intrusion prevention system (HIPS), actually
stops the attack and prevents damage and propagation of worms and viruses.
Active detection can be set to shut down the network connection or to stop
the impacted services automatically. This has the benefit of being able to
quickly analyze an event and take corrective action. Cisco provides HIPS using
the Cisco Security Agent software.
Current host-based intrusion
prevention software requires agent software to be installed on each host,
either server or desktop, to monitor activity performed on and against the
host. The Agent software performs the intrusion detection analysis, and
prevention. The Agent software also sends logs and alerts to a centralized
management/policy server.
The advantage of HIPS is that it can monitor
operating system processes and protect critical system resources, including
files that may exist only on that specific host. This means it can notify
network managers when some external process tries to modify a system file in a
way that may include a hidden back door program.
Figure
illustrates a
typical HIPS deployment. Agents are installed on publicly accessible servers
and corporate mail and application servers. The Agents report events to a
central Console server, such as CiscoWorks VMS, located inside the corporate
firewall or can e-mail an administrator.
Vendors of host security include
Cisco Systems, Symantec, Internet Security Systems (ISS), and Enterasys.
Network-based Intrusion Technology
Just like host-based intrusion
technology, a network intrusion detection system can be based on active or
passive detection. Figure
illustrates a typical network deployment of intrusion technology. Sensors are
deployed at network entry points that protect critical network segments. The
network segments have both internal and external corporate resources. Sensors
capture and analyze the traffic as it traverses the network. Sensors are
typically tuned for intrusion detection analysis. The underlying operating
system is stripped of unnecessary network services and essential services are
secured. The Sensors report to a central Director server located inside the
corporate firewall.