Problem solve Get help with specific problems with your technologies, process and projects.

Will host-based intrusion detection software replace signature IDS?

As signature-based IDS becomes less effective, is host-based IDS the best option to replace it? Expert Anand Sastry weighs in.

As encryption conceals the contents of network messages, the ability of intrusion detection systems to read those...

packets decreases. Some have speculated that all IDSes will become host-based once all network packets have been encrypted. Do you agree?

With the increase in malware threats targeting the application domain and users’ browsers specifically, traditional network signature-based intrusion detection and prevention systems are turning out to be less effective at combating this type of threat. This situation is further exacerbated when traffic is encrypted, as traditional signature IDS products offer no visibility.

Proxy-based Layer 7 protection products for policing Internet access from corporate workstations tend to be more effective in these situations, due to their focus on client-side threats. Web application firewalls also play a similar part in hosted environments, protecting critical Web applications against application-layer threats.

These proxy-based products have the ability to broker encrypted sessions on behalf of the client, which provides them with visibility into the session to monitor for threats that would otherwise have been missed. This platform as such provides more comprehensive detection and mitigation than traditional IDS products.

In order to extend this protection onto mobile platforms, full-featured endpoint security products provide effective threat mitigation as well. These endpoint security products, often referred to as host-based intrusion detection software, provide traditional signature-based IDS/IPS network-based threat protection at the host level, while also providing a user with a safer Web experience through built-in site reputation checking. This, coupled with antivirus and antispyware protection, provides effective and cost-efficient protection irrespective of the environment (corporate or public).

I think current endpoint products, coupled with point products targeting specific threats like key/screen/clipboard loggers, make for an effective alternative to traditional IPS or IDS products.

This was last published in August 2011

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)