Host IDS and a Network IDS

Host IDS and a Network IDS

Post by S » Fri, 22 Mar 2002 16:24:04




> What exactly is the difference between a host IDS and a network IDS? Thanks.

> VA

Pretty simple.
A host is a single computer
A network is a group of computers

Host IDS detects instrusions on a single PC
Network IDS watches the network which may have multiple PC's or clients.
  Could be a class A/B/C or even D network or any combination. For
networks, an IDS normally exist at the enclave boundry protecting or
monitoring all traffic at the boundry going to/from networks behind the
boundry.

Disclaimer: Various IDS make various claims.
  A host IDS may protect your network if you have a dual nic'd host
between your network and your provider.

For example: I may have a WIN2K PC with 2NICS with one NIC connected to
my cable modem and service provider and the other NIC connected to a hub
or switch with my kids computer, bedroom computer, living room and
kitchen computer connected to the hub/switch. The WIN2K PC is acting as
a gateway or internet connection sharing box. I might be able to use a
host IDS to monitor and protect all my data from all PC's since I am
"bottle-necking" all data through the WIN2K PC and the host IDS is
monitoring traffic on the WIN2K PC.

But say I have a router with a built-in switch and I have all my PC's
connected to it. That means I probably need a network IDS that is going
to look at all the traffic on my home LAN since I am not
"bottle-necking" my traffic through the one PC but am using the cable
router/switch as my gateway.

Example of Host IDS for windoz is Black Ice, Zone Alarm etc., and for
linux is portsentry. An example of a good network IDS for both windoz
and linux is Snort.

Much more to it but the above is the simple answer. And of course this
is arguable..
ITC(SW) Smith