INTRODUCTION TO NETWORK SECURITY

2 THREATS AND VULNURABILITIES

NETWORK SECURITY DEVICES AND TECHNOLOGIES

NETWORK TRAFFIC ANALYSIS

CRYPTOGRAPHY AND NETWORK SECURITY

NETWORK SECURITY ANALYSIS AND FORENSIC

SECURING WIRELESS NETWORKS

ADVANCED TOPICS IN NETWORK SECURITY

Network-based and Host-based IDS

NETWORK BASED VS HOST BASED IDS

According to an IDS market study by On-premise and SaaS for BFSI, Healthcare, IT & Telecom, Retail, Energy & Utilities, and Manufacturing from 2024 to 2034, the global IDS market value is estimated to be around 6.8 billion USD in 2024 with an estimated value reaching 19.2 billion USD by the end of 2034.

Intrusion Detection Systems (IDS) can be classified into Network-Based IDS (NIDS) and Host-Based IDS (HIDS) based on where they are deployed and how they monitor for threats. 

1. Network-Based IDS (NIDS)

A Network-Based Intrusion Detection System (NIDS) monitors network traffic across an entire network segment to detect malicious activity.

 

Features:

  • Deployment:
    • Deployed on network devices like switches, routers, or dedicated systems within the network.
    • Monitors traffic flowing between devices on the network.
  • Focus:
    • Detects attacks or malicious behavior by analyzing packet data, headers, and patterns (e.g., port scans, DDoS attacks, and worm propagation).
  • Scalability:
    • Covers a large number of devices on the network, providing a wide view of potential threats.

 

Advantages:

  1. Broad Visibility:
    • Can monitor all devices connected to the network without requiring direct installation on each host.
  2. Early Detection:
    • Identifies threats before they reach individual devices, especially useful for detecting network-level attacks.
  3. Centralized Management:
    • Can be deployed at key points (e.g., at the network perimeter) for streamlined threat monitoring.

Use Cases:

  • Protecting a network segment or perimeter from external threats.
  • Detecting large-scale attacks, such as network reconnaissance or DDoS.

2. Host-Based IDS (HIDS)

A Host-Based Intrusion Detection System (HIDS) monitors activity on a specific host or device (e.g., servers, desktops) for signs of compromise.

Features:

  • Deployment:
    • Installed as an agent on individual hosts (endpoints, servers, or virtual machines).
    • Focuses on monitoring system-level activities such as file changes, processes, and user activity.
  • Focus:
    • Detects host-specific attacks (e.g., privilege escalation, malware execution, unauthorized file access).
  • Granular Monitoring:
    • Analyzes system logs, registry changes, file integrity, and more.

 

Advantages:

  1. Host-Specific Insight:
    • Detects attacks and changes that occur within the host, including file tampering, unauthorized access, or privilege escalation.
  2. Encrypted Traffic Monitoring:
    • Can monitor traffic originating from or targeting the host, even if it is encrypted.
  3. Post-Attack Analysis:
    • Useful for forensic analysis to determine the impact of an attack on a specific host.

 

Use Cases:

  • Protecting critical servers, workstations, or devices.
  • Monitoring sensitive systems where granular activity tracking is essential (e.g., database servers).

When to Use NIDS vs. HIDS

Use NIDS When:

  • Monitoring traffic at the network level is critical (e.g., detecting DDoS, worms, or port scans).
  • You want broad coverage across multiple devices without needing to install agents.
  • You are focusing on protecting the network perimeter.

Use HIDS When:

  • You need detailed insights into host-specific activity, such as file changes, privilege escalation, or log analysis.
  • The environment includes critical assets (e.g., servers, endpoints) that require close monitoring.
  • You want to detect internal threats or post-compromise activity.