Report highlights
tions. The distributed engines are managed centrally by a single console where the notifications are displayed and where selected tailor-made security policies are pushed down to the engines.
Both packet headers as well as payload can be subject to closer scrutiny to detect attack signatures. Signatures may span multiple packets, require reassembly of packets, or span multiple sessions. Integrating the reassembly pocess with attack recognition algorithms protects the engine from being affected by a possible attack itself.
The strengths of network-based IDS are as follows:
• The real-time nature of network-based detection provides faster response and notification compared to its host-based counterpart.
Attacks aimed at low level services on a particular computer may crash that machine before its host-based IDS can pick up the event and react.
• Because a network-based intrusion detection system examines both packet headers and payload, it has the ability to detect attacks that a host-based system would miss. Many of today's IPbased denial of service attacks are detected by looking at the packet headers as they travel across a network.
• A network-based intrusion detection engine can investigate the content of the payload by looking for specific commands or syntax indicative of a variety of attacks. A host-based IDS would not be able to detect these types of payload embedded exploits.
• An engine is extremely hard to detect and evade. This also protects the monitoring system itself from directed attacks.
• Network-based intrusion detection systems allow strategic deployment at critical access points. It is operating system independent and fewer detection points are required, and the cost of ownership is usually lower for an enterprise environment.