10.11 Multiple-Based IDSs

There are host-based IDSs as well, also known as event log viewers. This kind of IDS monitors event logs from multiple sources for suspicious activity. These host-based IDSs are ideal for detecting computer misuse from inside users or outsiders who have already infiltrated a network. There is an added benefit to these types of IDS in that because they operate in near real time, system faults are often detected quickly.

There are also network-based IDSs that monitor all network traffic, reacting to any packet anomaly or signature-based suspicious activity. Basically, they are specialized packet sniffers, and they come in the guise of plug-and-play, appliance-based products. These network-based IDSs analyze every packet, looking for the signature of intruder attacks; some will block suspicious packets. Because many network IDSs are unreliable at high speeds dropping a high percentage of network packets, new network-node IDSs are becoming popular, as they delegate the network-IDS function down to individual hosts, alleviating the problems of both high-speed failures and packet switching.

A network-based IDSs view is restricted to what passes over a given line. Also, a tremendous amount of data must be examined and logged, a process considerably weakened if encryption is used. Further, these IDSs can only monitor a limited number of machines or entities. Most of the current crop of network IDSs lack the robustness to deal with missing, incomplete, untimely, or otherwise faulty data.

Lastly, there are hybrid IDSs that are combinations of network and host systems in a single package. This solution gives maximum coverage. Many networks and system administrators reserve these hybrid IDSs for critical servers because they tend to be the most expensive products available.