2. Monitors System Activities: A host-based IDS sensor monitors user and file access activity including file accesses, changes to file permissions, attempts to install new executables etc. A host based IDS sensor can also monitor all user login and logoff activity, user activities while connected to the network, file system changes, activities that are normally executed only by an administrator. Operating systems log any event where user accounts are added, deleted or modified. The host based IDS can detect an improper change as soon as it is executed. A network-based system cannot give so much detailed information about system activities.
3. Detects attacks that a network based IDS fail to detect: Host-based systems can detect attacks that…show more content… Monitoring the logs on a daily basis is required to analyze the kind of malicious activities detected by the IDS over a period of time. Today's IDS has not yet reached the level where it can give a historical analysis of the intrusions detected over a period of time. This is still a manual activity.
It is therefore important for an organization to have a well-defined Incident handling and response plan if an intrusion is detected and reported by the IDS. Also, the organization should have skilled security personnel to handle this kind of scenario.
2. The success of an IDS implementation depends to a large extent on how it has been deployed. A lot of plan is required in the design as well as the implementation phase. In most cases, it is desirable to implement a hybrid solution of network based and host-based IDS to benefit from both. In fact one technology complements the other. However, this decision can vary from one organization to another. A network-based IDS is an immediate choice for many organizations because of its ability to monitor multiple systems and also the fact that it does not require a software to be loaded on a production system unlike host based…show more content… If all the 10/100 Mbps ports in a VLAN are mirrored to another 10/100 Mbps port in the VLAN, the IDS sensor may drop traffic, as the combined traffic of all the ports could be more than 100 Mbps. Now, Gigabit port speed being available, this becomes an even more difficult challenge. Cisco systems has an IDS module for Catalyst 6000 series switch which can sit on the switch backplane and can monitor traffic right off the switch backplane. But this solution is yet to scale to Gigabit speed. This module supports traffic only up to 100 Mbps as of now. The portability of network-based IDS in a switched environment is still a
