What is the difference between a host-based intrusion detection system and a network-based IDS? In which scenarios...
would each be best deployed?
Host-based intrusion detection systems (IDSes) protect just that: the host or endpoint. This includes workstations, servers, mobile devices and the like. Host-based IDSes are one of the last layers of defense. They're also one of the best security controls because they can be fine-tuned to the specific workstation, application, user role or workflows required.
A network-based IDS often sits on the ingress or egress point(s) of the network to monitor what's coming and going. Given that a network-based IDS sits further out on the network, it may not provide enough granular protection to keep everything in check -- especially for network traffic that's protected by SSL, TLS or SSH.
IDS technology is relatively old, and the newer intrusion prevention system (IPS) is often a better enterprise fit. IPS, be it at the host or network level, can help prevent an attack rather than merely report on it.
The interesting thing I've seen regarding host-based IPSes is that they're rarely used. This is likely because of the complexity and frustration involved; they're challenging for IT and security staff to configure properly without creating bottlenecks or negatively impacting network traffic, and it can be frustrating if they're set up in a way that prevents the user from getting his or her work done. Furthermore, the last thing that users want to deal with is a bunch of annoying pop-up windows asking if it's okay to allow unknown traffic to communicate to and from the computer. This brings up another interesting caveat: Users are often in control of their local security policies, which can actually negate any perceived benefits of the host-based IPS.
In the end, it's up to the individual enterprise to determine what's best, given its technologies, culture and business needs. IPS is often the way to go; both network- and host-based IPS can provide high levels of security if designed, implemented and managed properly.
Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your enterprise security questions -- submit them now! (All questions are anonymous.)
Learn about different IDS and IPS deployment strategies
Test your IDS and IPS knowledge
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.