Admins must know the difference between a host-based intrusion detection system and a network-based IDS, as well...
as the best scenarios to deploy each -- and when newer technologies might be better to prevent intrusions in the first place.
Host IDS benefits and challenges
Host-based IDSes protect just that: the host or endpoint. This includes workstations, servers and mobile devices. They can also perform file integrity monitoring to detect and alert on important files that are improperly accessed or modified. Host IDSes are one of the last layers of defense. They're also one of the best security controls because they can be fine-tuned to the specific workstation, application, user role or workflow required.
Over the years, there has been a level of complexity and frustration involved with traditional host intrusion prevention system (IPS) software, in that users were often in control of their local security policies, which enabled them to disable protection negating any perceived benefits of the host IPS.
Network IDS benefits and challenges
A network-based IDS often sits on the ingress or egress point(s) of the network to monitor what's coming and going. Given that a network-based IDS often sits further out on the network, it may not provide enough granular protection to keep everything in check -- especially for network traffic that's encrypted by Transport Layer Security or SSH.
IDS technology is relatively old. The newer IPS is often a better enterprise fit. IPS, be it at the host or network level, can actively stop an attack rather than merely report on it.
Host IDS vs. network IDS: Choosing the best option for your enterprise
In the end, it's up to the individual enterprise to determine what's best, given its technologies, business needs and risk tolerance. Proactive protection available from IPS is usually the best way to go; both host and network IPS can provide high levels of security if designed, implemented and managed properly. Other technologies, including the aforementioned EDR tools, as well as data loss prevention and SIEM systems, should also be considered.
The important thing is to ensure that the system can properly facilitate business rather than getting in the way of it.
Learn about different IDS and IPS deployment strategies
Test your IDS and IPS knowledge
Dig Deeper on Enterprise network security
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains ... Continue Reading