nvh_ids_9
October 2, 1998
Page 9
The Need for Both Network- and Host-Based Intrusion Detection
Both network- and host-based IDS solutions have unique strengths and benefits that complement
each other. A next-generation IDS, therefore, must include tightly integrated host and network
components. Combining these two technologies will greatly improve network resistance to
attacks and misuse, enhance the enforcement of security policy and introduce greater flexibility
in deployment options.
The graphic below illustrates how network- and host-based intrusion detection techniques
interact to create a more powerful network defense. Some events are detectable by network
means only. Others that are detectable only at the host. Several require both types of intrusion
detection to function properly.
- SYN Flood attack
- Land, Smurf, TearDrop attacks
- BackOrifice hacker tool
- Win Nuke attack
1) Telnet to a system
- Network IDS
2) Intruder SUs to root
- Host IDS
3) Turns off logging
- Host IDS
1) Port scan
- Network IDS
2) HTTP cgi-bin attack
- Network IDS
3) Changes a Web page
- Host IDS
1) Port scan
- Network IDS
2) Sendmail WIZ attack
- Network IDS
3) Root Shell Accessed
- Host IDS
Intruder
Victim
- Encrypted network traffic
- Overwrite the login executable
- Walk up to the keyboard attack
ex. Sun openPROM
Network-based only
Host-based only
Network-based and Host-based