To examine network traffic and trigger alarms when your network is under attack, your IDS must somehow monitor your network at specific points. The two common monitoring locations are as follows:
A host-based monitoring system examines information at the local host or operating system. This can be accomplished through a complex system that examines actual system calls or it can be simple, such as simply examining system log files. Some of these techniques can actually halt attacks before they can succeed, whereas others report only on what has already happened.
The major benefit of a host-based monitoring system is that the success or failure of an attack can be readily determined. A network-based system alarms on the presence of intrusive activity, but can't always ascertain the success or failure of such an attack. Host-based detection systems also do not have to worry about fragmentation attacks or variable time-to-live attacks because the host's own stack takes care of these issues. One final advantage of a host-based monitoring system is that if the network traffic stream is encrypted, the host-based monitoring system has access to the traffic in unencrypted form.
Two of the major drawbacks to a host-based monitoring system are as follows:
- Incomplete network picture
- Necessity to support multiple operating systems
By only examining information at the local host level, a host-base monitoring system has difficulty constructing an accurate network picture or coordinating the events happening across your entire network. The other difficulty lies in the fact that a host-based monitoring system needs to run on every system in your network. This requires verifying support for all of the different operating systems that you use on your network.
Instead of looking for intrusive activity at the host level, network-based monitoring systems examine the actual network packets that are traveling across the network. The system examines this traffic for known signs of instructive activity. Because these systems are watching network traffic, any attack signatures detected may succeed or fail. It is usually difficult if not impossible for network-based monitoring systems to assess the success or failure or the actual attacks. They only indicate the presence of intrusive activity.
A network-based monitoring system has the benefit of seeing and coordinating attacks that are occurring across your entire network very easily. Seeing the attacks against your entire network gives you a clear indication of the extent to which your network is being attacked. Furthermore, because the monitoring system is only examining traffic from your network, it does not have to support every type of operating system that you use on your network.
Encryption of the network traffic stream can essentially blind your network-based IDS. Reconstructing fragmented traffic can also be a difficult problem to solve. Probably the biggest drawback to network-based monitoring, however, is that as networks become increasingly larger (with respect to bandwidth), it becomes more difficult to place a network-based IDS at a single location on your network and capture all of the traffic successfully. This then requires the utilization of more sensors throughout your network, which increases the costs of your IDS.