Someone recently mentioned that they took the SY0-201 exam and had several IDS questions such as HIDS and NIDS. This makes a lot of sense since these are listed on the objectives. Here are some of the basics:
An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:
HIDS
-
Installed on a host computer such as a workstation or server
-
It is used primarily to monitor traffic going through the NIC of the host
-
Can consume resources of the workstation
-
Can monitor network traffic sent to the host or coming from the host only
-
Data stored locally (on the host)
NIDS
-
Installed on network devices (such as firewalls, routers or switches)
-
These devices are referred to as sensors or tabs
-
Data centrally managed - sensors report back to a central console
-
Cannot monitor encrypted traffic on individual hosts
Both types can use either signature-based detection or anomaly-based detection.
Signature-based
The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)
Anomaly-based
A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts
Also, both types can have either a passive or active response.
Passive Response
Alerts are logged and personnel are typically notified.
Active Response
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.
While this provides an overview, the CompTIA Security+: Get Certified Get Ahead book has a full section on Intrusion Dectection Systems in Chapter 4 (Securing your Network).
Darril Gibson
Author: CompTIA Security+: Get Certified Get Ahead
http://sy0-201.com
Security+ Tip of day Tweets
twitter.com/DarrilGibson
