Page 1219 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1219

traffic between two or more servers. For example, an application-
               based IDS can monitor traffic between a web server and a database

               server looking for suspicious activity.

               Host-Based IDS An HIDS monitors activity on a single computer,
               including process calls and information recorded in system,
               application, security, and host-based firewall logs. It can often
               examine events in more detail than a NIDS can, and it can pinpoint
               specific files compromised in an attack. It can also track processes

               employed by the attacker.
               A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on

               the host system that NIDSs cannot detect. For example, an HIDS can
               detect infections where an intruder has infiltrated a system and is
               controlling it remotely. You may notice that this sounds similar to
               what anti-malware software will do on a computer. It is. Many HIDSs
               include anti- malware capabilities.

               Although many vendors recommend installing host-based IDSs on all

               systems, this isn’t common due to some of the disadvantages of
               HIDSs. Instead, many organizations choose to install HIDSs only on
               key servers as an added level of protection. Some of the disadvantages
               to HIDSs are related to the cost and usability. HIDSs are more costly
               to manage than NIDSs because they require administrative attention
               on each system, whereas NIDSs usually support centralized

               administration. An HIDS cannot detect network attacks on other
               systems. Additionally, it will often consume a significant amount of
               system resources, degrading the host system performance. Although
               it’s often possible to restrict the system resources used by the HIDS,
               this can result in it missing an active attack. Additionally, HIDSs are
               easier for an intruder to discover and disable, and their logs are
               maintained on the system, making the logs susceptible to modification

               during a successful attack.

               Network-Based IDS A NIDS monitors and evaluates network
               activity to detect attacks or event anomalies. A single NIDS can
               monitor a large network by using remote sensors to collect data at key
               network locations that send data to a central management console
               and/or a SIEM. These sensors can monitor traffic at routers, firewalls,
   1214   1215   1216   1217   1218   1219   1220   1221   1222   1223   1224