Network Based IDS Versus Host Based IDS

Host-based IDS (HIDS) and network-based IDS (NIDS) should be seen as complimentary, because the systems fill in for each other's weaknesses. Therefore, they should be deployed together rather than only one or the other. Table 5-1 lists the most important advantages and disadvantages of deploying NIDS or HIDS.

Table 5-1 Comparison of Host-Based IDS and Network-Based IDS*

IDS

Pros

Cons

Host-based

Verification of success or failure of an attack possible.

Has a good knowledge of the host's context, and as a result is more focused on a specific system.

OS/platform-dependent. Not available for all operating systems.

Impact on the available resources of the host system.

Expensive to deploy one agent per host. Expensive to train staff to support and implement on a large basis.

Network-based

Protects all hosts on the monitored network cost effectively.

Independent of the OS and has no impact on the host (runs invisibly).

Especially useful for low-level attacks (network probes and denial of service attacks).

Deployment is very challenging in switched environment.

Network traffic may overload the NIDS (CPU intensive).

Not effective for single-packet attacks and hidden attacks in encrypted packets.

*Cisco NIDS is covered in more detail in Chapter 6 of this guide.

*Cisco NIDS is covered in more detail in Chapter 6 of this guide.

Was this article helpful?

0 0

Post a comment