Types of Intrusion Detection Systems (IDS)


In the realm of information security, there is a saying that prevention is ideal but detection is a necessity. This is why architects design networks in such a way that perimeter components are able to identify, monitor and restrict traffic flows at the boundary. While firewalls are a key component of perimeter defenses, intrusion detection systems are also a necessity in today’s environment. So, what are the different types of intrusion detection systems? And which are appropriate for your environment? By understanding types of intrusion detection systems, companies can identify the right technology investment for their organisation.

The idea of intrusion detection systems is to identify anomalous activity on the network, either alert or take an automated action when identified, and to remember this type of activity and alert in future. Intrusion detection systems are key in current environments and now come as a component part of most next generation firewall devices. Let’s look at the different types of intrusion detection systems.

Host-based intrusion detection systems

Host-based intrusion detection systems are utilised to monitor, detect and respond to anomalous activities identified on any given host. Host based intrusion detection systems allow policy management, forensics and analysis to take place at host level. The purpose of these systems is to identify anomalous activity on the host itself, that could be accesses to sensitive files or configuration changes. The host-based IDS system is integrated with the operating system as attackers will identify and exploit most vulnerabilities at the OS level.

An advantage of host-based intrusion detection systems is that the host can be protected against known attacks. However, if the IDS system is installed on the host it has been known that attackers can circumvent controls and disable the IDS system or alter logs to cover their tracks. This can be mitigated by ensuring that the intrusion detection system is physically separate from the host e.g. on a separate device.

Network-based intrusion detection systems

Network-based intrusion detection systems are often installed on the perimeter of the network and essentially act as packet sniffers. Network based IDS can be implemented for the entire network or separate segments of it. It is common practice to use network based intrusion detection systems on high risk segments of the network i.e. where internet traffic is routed.

Network based intrusion detection systems act as packet sniffers, analyses all traffic coming through the gateway and utilising specific metrics to measure this traffic. The IDS system will use policy defined metrics to analyse network protocols and determine if traffic represents anomalous activity.

The drawbacks of network-based intrusion detection systems is that encrypted traffic can often not be inspected. A workaround for this is to break-out encrypted traffic, inspect and repackage. Numerous devices are capable of SSL breakout in the modern environment.

Network based IDS systems can be design in a centralised or distributed manner. In a centralised manner, a singular, central device is used to manage and analyse all information from various IDS systems in the network. This essentially pulls all logs from various host and network based IDS systems on the network for centralised analysis. In a distributed architecture, the load is separated across numerous IDS systems using various agents. This is mainly used in a disperate environment.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *