nvh_ids_4
October 2, 1998
Page 4
Strengths of Network-Based Intrusion Detection Systems
Network-based IDS have many strengths that cannot easily be offered by host-based intrusion
detection alone. Many customers, in fact, deploy network-based intrusion detection when using
an IDS for the first time due to its low cost of ownership and rapid response times. Below are
major reasons that make network-based intrusion detection a critical component of sound
security policy implementation.
1. Lowers cost of ownership network-based IDS allow strategic deployment at critical
access points for viewing network traffic destined to multiple systems. As a result,
network-based systems do not require software to be loaded and managed on a variety of
hosts. Since fewer detection points are required, the cost of ownership is lower for an
enterprise environment.
2. Detects attacks that host-based systems miss network-based IDS examine all packet
headers for signs of malicious and suspicious activity. Host-based IDS do not see packet
headers, so they cannot detect these types of attacks. For example, many IP-based denial-
of-service (DOS) and fragmented packet (TearDrop) attacks can only be identified by
looking at the packet headers as they travel across a network. This type of attack can be
quickly identified by a network-based system looking at the packet stream in real-time.
Network-based IDS can investigate the content of the payload, looking for commands or
syntax used in specific attacks. For example, an attacker probing for the new Back Orifice
exploit on systems not yet infected with the Back Orifice software can be detected by
examining the packet payload. As above, host-based systems do not see the payload, and so
are not be able to recognize embedded payload attacks.
3. More difficult for an attacker to remove evidence network-based IDS use live network
traffic for real-time attack detection. Therefore, an attacker cannot remove the evidence.
Captured data includes not only the method of attack, but information that may help lead to
identification and prosecution. Since many hackers understand audit logs, they know how
to manipulate these files to cover their tracks, frustrating host-based systems that need this
information to detect an intrusion.
4. Real-time detection and response network-based IDS detect malicious and suspicious
attacks as they occur, and so provide faster notification and response. For example, a
hacker initiating a network based denial of service (DOS) based on TCP can be stopped by
having a network-based IDS send a TCP reset to terminate the attack before it crashes or
damages a targeted host. Host-based systems usually do not recognize an attack or take
action until after a suspicious log entry has been written. By this time, critical systems may
already be compromised, or the system running the host-based IDS may have crashed.
Real-time notification allows rapid reaction according to predefined parameters. These
responses range from allowing the penetration in surveillance mode in order to gather
information to immediate termination of the attack.
5. Detects unsuccessful attacks and malicious intent network-based IDS add valuable data
for determining malicious intent. A network-based IDS placed outside of a firewall can
detect attacks intended for resources behind the firewall, even though the firewall may be
rejecting these attempts. Host-based systems do not see rejected attacks that never hit a host