SHARE

Host Level IDS-Intrusion Detection Systems or IPS Intrusion Detection and Prevention Systems are a very powerful way to protect your network.

An IDS and IPS looks at network traffic and irregularities. They can be signature based meaning they can identify known attack signatures already in the wild or heuristic/behavioral based. The behavioral based devices provide a great many false positives while the signature based are almost 100% accurate.

An IPS can block the traffic while an IDS simply alert on potentially malicious activity why not just implement an IPS and both detect and block traffic like a firewall? The reason is that an IPS in order to work effectively must be inline and if it inspecting traffic deeply this could cause either 2 things or a combination of them, slow traffic meaning unhappy users and/or the need for a faster pipe increasing costs to the business. Also an IPS especially if it is heuristic based can block legitimate traffic as well, this is not good.

A host level IPS/IDS works typically by installing an agent on each host to be monitored and looks at the activity of that machine, it can also function based on signatures or behavior patterns. Many small to midsized networks have not implemented this due to the high level of false positives for heuristic IPS/IDS’s and the potential blocking of network traffic on an Host based IPS.

 

Also because it requires and agent installed on the machine it can lead to performance issues and can frustrate users. If you are using a behavioral based IDS/IPS a have not tweaked it you will probably get bombarded with false positives causing your security team to not be able to respond to most of them and leading to alert fatigue so that they are not focusing on real threats to the network. Also you will have to hire many more engineers for monitoring if you don’t tweak these correctly.

 

Either and IDS or IPS may work depending on your environment and should be an important part of any security program. Most major vendors have good options, the one you choose will depend on your budget and the functionality that you seek.