Host-Based IDS vs Network-Based IDS (Part 1)

by [Published on 10 July 2003 / Last Updated on 10 July 2003]

This white paper will highlight the association between Network Based and Host based intrusion detection. A product comparison will be incorporated in a following white paper part 2 to assist in the selection of the appropriate IDS for your organization. Important facts and consideration will be highlighted to assist when selecting a sound intrusion detection system. This white paper will give you a better understanding of the differences between NID and HIDS and will highlight the strengths and weaknesses of both concurrently extending your knowledge and increasing your understanding of the IDS systems.

If you would like to receive an email when the next article in this series is released, subscribe to the WindowSecurity.com Real-Time Article Updates from our Newsletter subscriptions page).

IDS functionality

An IDS system is used to make security professional aware of packets entering and leaving the monitored network.  IDS are often used to sniff out network packets giving you a good understanding of what is really happening on the network. There are two mainstream options when implementing IDS Host based IDS and Network based IDS.  Some IDS have the capability of distinguishing different types of network traffic on the same port number and it can show you if the request is an HTTP request on port 80 or if the user is using the preferred instant messaging system over port 80.  IDS have the ability to drop malicious packets that may cause your network harm.  This is the latest technological advance on firewalls and because the IDS have pattern files you can be certain that the latest network bug will be swatted from your LAN, WAN, WLAN or PAN.  Host based IDS can be active if you on or off a LAN or connected network as it is resident on the local machine.

Product

Type of IDS

Price

More Info

 

 

 

 

INTRUST Event admin Aelita

HIDS

$599 Per server $64 per Workstation Price may vary.

Click Here

 

 

 

 

ELM 3.0 TNT software

HIDS

$515 Server, workstation and TCP/IP agent

Click Here

 

 

 

 

GFI LANguard S.E.L.M

HIDS

$ 375 two servers 10 workstations

Click Here

 

 

 

 

Snort ISS

NIDS

FREE Software package

Click Here

 

 

 

 

Cisco Secure IDS

NIDS

Over $1000

Click Here

 

 

 

 

Dragon Enterasys

NIDS

Over $1000

Click Here

This is a brief comparison the full comparative analysis will be released in part 2 of this white paper.

Scary IDS statistics.

  • Just over 90% of interconnected networks that were running IDS detected computer security breaches in the last 12 months defiant of several implemented firewall protections that were installed.
  • Computer Security Institute, 4/7/02 reported that 80% reported financial losses in excess of $455M was caused by intrusion and malicious acts thereafter.
  • Millions of jobs have been affected because of intrusion
  • Only 0.1% of companies are spending the appropriate budget on IDS.
  • IDS are mostly misunderstood and are thought of as a firewall product or a substitute.
  • If you use an antivirus then should also consider adding an IDS as a complimentary product to your security strategy.  Most organizations using antivirus software do not use IDS.

Intrusion Detection System (IDS) is an essential tool that compliments any security suite such as a firewall and a good antivirus.  These tools are ineffective if used separately as each one is tailored to fight off attackers in specific focused areas.  It is good practice to build a security suite with well recognized reliable technologies that have been tried and tested, ensuring that the IDS application chosen suits your organizations needs closely like a well tailored piece of clothing.

Many network security professionals know that a firewall is an essential element to a comprehensive security plan.  It is also felt that IDS is an excellent complementary product that will complete the company’s security strategy.  What many security professionals overlook is the type of IDS that best fits the organization.

When asked the question. What type of antivirus will give you the best protection? (Host based or server based)  My answer would be what depth of security would you prefer to have?  The clients often responds I would like to be secure I do not know you are the expert.  I often use the analogy well what are you afraid that the intruder will attack. Are your client machines important to you?  The response is often yes they are.  Sensitive email is normally stored in archive form on client machines along with temporary working documents and other sensitive company information like projects and word documents that are in the process of being completed.  In this case it is good practice that and IDS is used on the host as well as on the network. 

Intruders are adaptive and after understanding that there is a network IDS they soon look for alternatives where they can bypass network IDS systems.  As with alarm systems, there are no alarms that stop the intruder from entering the premises on the market, an alarm typically alerts the respective proprietor that an entry or attempted entry has been made on the property or system.  The alarm may serve as a deterrent but in some cases the intruder will continue with his unscrupulous activities cognizant to the fact that an alarm has been raised.  Some alarms (IDS Systems) have the capability of dropping potentially damaging packets that have been identified in a similar way that antivirus manufactures detect viruses.  All packets that pass though the IDS are analyzed and compared against a pattern or signature file that verifies that the packet is not an attack on the network integrity.  If the packet is dropped the IDS can be configured to log this event and notify the security professional immediately so action can be taken against the attacker.  Like an antivirus the product is only as good as the updated pattern or signature file so if your IDS work on this basis it is recommended that you keep it current. 

Most intruders are very persistent and if they can not gain access through a specific avenue then other avenues will be attempted.  It is good practice to read the logs and alerts on a regular basis to keep abreast with the network trends.  If various attempts are persistent from a particular source it is recommended that disciplinary action is taken.  Review your countries laws to ascertain what should be done as laws vary from country to country, but authorities are quickly closing the gap on cyber vandalisms and soon it will be quite painless to prosecute attackers that have caused harm to your organization world wide.

As a basic principal is to encrypt your entire network data repository, even if it seems trivial.  Password protect all sensitive information and do not allow network users to browse unsecured intranet sites as sensitive information can be gathered in this way.

Response time

As with all security company’s responses need to be swift and accurate and effective. Your data and intellectual property is your companies asset that needs to be protected from intruders and the alarms have set off telling you that intruders are attempting an attack or are already busy robbing you of your information.  Many security professionals do not respond to the attack and merely cut off that avenue of attack for the attacker.  This simply stalls that intruder, and if the intruder is determined an attempt will be made on other vulnerabilities that may be found.  Noting that your network is so vast and consisting of many machines in a conglomerate system, it is recommended that you install a cost effective HIDS on each machine to ensure that specific vulnerabilities that are explicit to each machine are tended to.  There are great advantages to this especially when there are users in the corporation that move around from site to site or users that take their notebook computers home.  The reason for this would be that if you have a HIDS on the Host machine like the notebook computer the user will then be protected at all time even when he/she is traveling the world and connecting to other remote networks outside of your control.  This is a great advantage and it is easy to see that the HIDS will kick in even if the user is not behind the security of the greater corporate networks NIDS.  Response will then be swift and effortless as the HIDS will be on the user machine securing the user to be a self-sustaining IDS protected system until the user returns to the corporate network environment.

NIDS (network intrusion detection system)

Using NIDS presents a major issue on a switched network if port spanning is not enabled.  By design a switch functions on a high speed direct access principle only transmitting packets directly to the intended recipient of the packet and not the entire network like the legacy hub based networks.  Some security networks function in such a way that port spanning can not be enabled and in this scenario it is recommended that sensors, “taps or monitors” be installed on the segment that spanning tree can not be enabled on. This is where an HIDS will triumph over a NIDS as a NIDS is network based and a HIDS is host based. If the network is not very high profile then you can enable port spanning and this will replicate all traffic that is transmitted on that switch to the port that has the spanning enabled.  Note enabling port spanning is not available on all switching equipment and the wording varies from manufacturer to manufacturer.  Enabling port spanning can also pose a risk if the spanned port is accessible to intruders.  Something small like port spanning, can easily be just what an intruder needs to acquire network information needed to gain access to your corporate network. 

An NIDS should best be describes as a standalone appliances that has network intrusion detection capabilities.  A  NDIS can also be  a software package that you install on dedicated workstation that is connected to your network or a device that has the software embedded and is also connected to your network. The NIDS then scans any traffic that is transmitted over that segment of your network; the NIDS functions in very much the same way as high-end antivirus applications and it makes use of signature or pattern file method comparing each transmitted packet for patterns that may occur within the signature file.   The IDS functions in a very conform way in order to increase packet throughput as inspecting every packet can slow traffic considerably. An IDS then uses the firewall approach when inspecting the packet by letting through the packets that are not potentially dangerous. This processing is done by the IDS’s preprocessing filters that arranges that data that is scanned.

The diagram above emulates the NIDS system; it shows the process of how the NIDS compares the potential intruder packet with the rule list and signature files that are stored within the NIDS database.  The above diagram also applies to HIDS, on every machine that the HIDS is installed.

Comparative analysis of HIDS vs. NIDS

Function

HIDS

NIDS

Comments

Protection on LAN

****

****

Both systems protect you on your LAN

Protection off LAN

****

-

Only HIDS protects you when you are off the LAN

Ease of Administration

****

****

The admin of NIDS and HIDS is equal from a central admin perspective.

Versatility

****

**

HIDS are more versatile systems.

Price

***

*

HIDS are more affordable systems if the right product is chosen.

Ease of Implementation

****

****

Both NIDS and HIDS are equal form a central control perspective

Little Training required

****

**

HIDS requires less training than NIDS

Total cost of ownership

***

**

HIDS cost you less to own in the long run

Bandwidth requirements  on (LAN)

0

2

NIDS uses up LAN bandwidth. HIDS does not.

Network overhead

1

2

The NIDS has double the total network bandwidth requirements from any LAN

Bandwidth requirements (internet)

**

**

Both IDS need internet bandwidth to keep the pattern files current

Spanning port switching requirements

-

****

NIDS requires that port spanning be enabled to ensure that your LAN traffic is scanned.

Update frequency to clients

****

-

HIDS updates all of the clients with a central pattern file.

Cross platform compatibility

**

****

NIDS are more adaptable to cross platform environments.

Local machine registry scans

****

-

Only HIDS can do these types of scans.

Logging

***

***

Both systems have logging functionality

Alarm functions

***

***

Both systems alarm the individual and the administrator.

PAN scan

****

-

Only HIDS scan you personal area networks. (unless you have the $ to get a NIDS for your home)

Packet rejection

-

****

Only NIDS functions in this mode.

Specialist knowledge

***

****

More knowledge is required when installing and understanding how to use NIDS from a network security perspective.

Central management

**

***

NIDS are more centrally managed.

Disable risk factor

*

****

NIDS failure rate is much higher than HIDS failure rate.  NIDS has one point of failure.

Upgrade potential

***

***

It is easier to upgrade software than hardware.  HIDS can be upgraded through a centralized script.  NIDS is typically flashed onto the flash memory and has low overhead.

Multiple LAN detection nodes

****

**

HIDS is a more comprehensive multiple segment detection IDS than NIDS

HIDS (Host intrusion detection system)

Host intrusion detection systems are installed locally on host machines making it a very versatile system compared to NIDS. HIDS can be installed on many different types of machines namely servers, workstations and notebook computers.  Doing so gives you the edge that NIDS does not have especially if you have a segment that you NDIS can not reach beyond. Traffic transmitted to the host is analyzed and passed onto the host if there are not potentially malicious packets within the data transmission. HIDS are more focused on the local machines changing aspect compared to the NIDS.  NIDS focus more greatly on the network those specific hosts themselves. HIDS is also more platform specific and caters strongly in the windows market of the computing world however there are products available that function in the UNIX and other OS topology environments. 

Golden question time NIDS or HIDS?

By now you are thinking do I need a NIDS or do I need a HIDS?  Well the answer is HIDS for a complete solution and NDIS for a LAN solution.  When administering an HIDS solution I found it to require significantly less specialist knowledge as the product did that all for me, whilst NIDS required my undivided attention and after several calls and Lab setups the team got NIDS working.

I must however stress that if you install antivirus software you do not only install it on your firewall, but it is installed on all your clients as well.  There is no reason why both NIDS and HIDS can not be used in conjunction as a strong IDS complimentary strategy.  It is perceived that NIDS are easier to disable from an intruders perspective and I tend to agree with this notion.  Rather install multiple detection nodes on your enterprise network using HIDS than have only one NIDS with a few detection nodes only spanning one segment.  If you have concerns about specific computers that you fear intruders will attach rather protect them using the HIDS as this will be a more secure decision and will be equivalent to installing an alarm in your safe incase someone came along to your cash at night and got past your primary house alarm system.

IDS supports verbose logging, many events are logged in days, ensure that only pertinent data is collected and that you do not get inundated with unnecessary data.  HIDS has more logging than NIDS when taking into account that HIDS logs all machines on the network this is not surprising.  If you are looking at HIDS or NIDS ensure that you find a vendor that has good technical backup and that has the pattern files streaming out when there are new vulnerabilities released into the wild much like an antivirus application.  If you have LAN bandwidth constraints it is very feasible to look at a HIDS. If price is an issue I found that some NIDS solutions are considerably more expensive when compared to a HIDS solution as there is a capital outlay on the hardware and some vendors charge considerably more for the software.

The diagram above represents the typical NIDS scenario where an attempt has been made to funnel the traffic through the NIDS device on the network.  It does not take a genius to see that if you had to isolate a single machine and take the machine away from the network like is done by many business people when in transit that NIDS would be very flawed.  The Red device represents where the NIDS has been installed.

Host based IDS are a more comprehensive solution and displays great strengths in all network environments.  It does not matter where the machines are even if they are away from the network they will be protected at all times.  The Orange machines represent where the HIDS is installed.

Conclusion

If you do not stay one-step ahead of the intruder, the intruder will soon find that out and then he will be the one stepping on you. A NIDS or HIDS should be comprehensive enough to cover you in case you have missed that one important step that you did not know about but all the hackers knew about.  Finding these applications is not an easy task and I will be releasing a whitepaper soon on this topic guiding you through what you should look at when selecting the right product for your organization. Today’s interrelated computer network is a dangerous realm filled with people that have millions of man hours ready to employ against your strongest security strategy.  The only way to beat them is to know they are attempting an attack and counter their attempts.  Strategy is the key and selecting the right IDS strategy will be instrumental in ensuring that your enterprise network remains secure.  The information I have shared with you should be sufficient to arm you when making a design on your approach when considering IDS be it NIDS or HIDS.

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Featured Links