Intrusion detection: Best Security practices

Here are two types of intrusion detection that you as a computer security administrator should know: NIDS or network based intrusion detection, and HIDS or host based intrusion detection. This article explains what both are and how they should be implemented in your network. It is more important than ever today to compliment your network with not only firewalls and anti-virus solutions, but an intrusion detection system that will detect attack signatures and prevent or reduce loss from unauthorized access to computer security systems.

It is important to note that when using a Intrusion detection system, most alerts received can be very misleading. They are called “False Positives” This definition means that even though the attack may seem real, its just another false alarm. Intrusion Detection can be a very useful tool in any case as it may prevent a future disaster. If an attacker does break in to your network it can help track the activity of the attack and help in prevention of the next one.

Network Based security Intrusion Detection.

NIDS Network Intrusion Detection System.
Network based IDS monitors every packet that passes through your network. Using a sensor like device, Network IDS acts as a large sniffer. It captures frames and analyzes them for hostile traffic. NIDS are usually placed within the network and sit quietly analyzing and logging any suspicious traffic into a log file for comparison. If a signature matches a hostile attack, then the NIDS can be configured to alert the administrator by whatever means that was implemented I/E: e-mail, pager call etc.. The administrator can then begin an investigation. One benefit of Network based IDS is that it does not use much network resources when monitoring

Host Based Intrusion Detection.

Host based Intrusion detection systems differ from the network IDS as it is usually contained in one host machine and analyzes malicious activity or misuse inside the network. HIDS verifies the integrity of files on host machines and compares them to any attack signature within its internal database. Once an attack signature is found the host then sends an alert to the administrator. Host based intrusion detction systems are often resource hogs and have to be installed on individual computers in which case the computers processing time is slowed down.

Network IDS benefits

  • Prevention of IP spoofing
  • Denial of service attacks
  • ARP cache poisoning
  • DNS name corruption
  • man in the middle attacks

Host Based IDS Benefits

  • Analyzes areas to determine misuse.
  • Compares system kernel, server, network, or firewall logs against an internal database of attack signatures.
  • Host based IDS can filter and analyze system logs.
  • Host based IDS can tag anomalous messages with a severity rating.

Note: please keep in mind that Network based IDS usually monitors a switch or a router. It analyzes all activity on the gateway and all traffic that comes thru your network.

Host based IDS monitors your system or machine for misuse and intrusion.