HostedDB - Dedicated UNIX Servers

nvh_ids_4 October 2, 1998 Page 4 Strengths of Network-Based Intrusion Detection Systems Network-based IDS have many strengths that cannot easily be offered by host-based intrusion detection alone. Many customers, in fact, deploy network-based intrusion detection when using an IDS for the first time due to its low cost of ownership and rapid response times. Below are major reasons that make network-based intrusion detection a critical component of sound security policy implementation. 1.   Lowers cost of ownership – network-based IDS allow strategic deployment at critical access points for viewing network traffic destined to multiple systems. As a result, network-based systems do not require software to be loaded and managed on a variety of hosts. Since fewer detection points are required, the cost of ownership is lower for an enterprise environment. 2.   Detects attacks that host-based systems miss – network-based IDS examine all packet headers for signs of malicious and suspicious activity. Host-based IDS do not see packet headers, so they cannot detect these types of attacks. For example, many IP-based denial- of-service (DOS)  and fragmented packet (TearDrop) attacks can only be identified by looking at the packet headers as they travel across a network. This type of attack can be quickly identified by a network-based system looking at the packet stream in real-time. Network-based IDS can investigate the content of the payload, looking for commands or syntax used in specific attacks. For example, an attacker probing for the new Back Orifice exploit on systems not yet infected with the Back Orifice software can be detected by examining the packet payload. As above, host-based systems do not see the payload, and so are not be able to recognize embedded payload attacks. 3.   More difficult for an attacker to remove evidence network-based IDS use live network traffic for real-time attack detection. Therefore, an attacker cannot remove the evidence. Captured data includes not only the method of attack, but information that may help lead to identification and prosecution. Since many hackers understand audit logs, they know how to manipulate these files to cover their tracks, frustrating host-based systems that need this information to detect an intrusion. 4.   Real-time detection and response – network-based IDS detect malicious and suspicious attacks as they occur, and so provide faster notification and response. For example, a hacker initiating a network based denial of service (DOS) based on TCP can be stopped by having a network-based IDS send a TCP reset to terminate the attack before it crashes or damages a targeted host. Host-based systems usually do not recognize an attack or take action until after a suspicious log entry has been written. By this time, critical systems may already be compromised, or the system running the host-based IDS may have crashed. Real-time notification allows rapid reaction according to predefined parameters. These responses range from allowing the penetration in surveillance mode in order to gather information to immediate termination of the attack. 5.   Detects unsuccessful attacks and malicious intent network-based IDS add valuable data for determining malicious intent. A network-based IDS placed outside of a firewall can detect attacks intended for resources behind the firewall, even though the firewall may be rejecting these attempts. Host-based systems do not see rejected attacks that never hit a host