Intrusion Detection System (IDS), as its name suggests, is used to detect network anomalies.

It is nothing but a combination of software and hardware used to network and host monitoring. If you are a network administrator, and you have the habit of regularly checking your server log, workstation login details, and/or firewall access logs. Then you are already doing intrusion detection.

IDS is made to assist you in this process. It is divided into two types of devices : the Network Based and Hosted Based device.

Network Based IDS comprises of a sniffer engine as the component to capture network packets in a subnet. Sniffer is a network tap connected to a particular network segment using a network device in promiscuous mode. It captures and retains the packets to be sent to a analyzing engine for analysis.

A Network Based IDS can be comprised of many sniffer taps connected at various segments of your network. They collect the network packet information and send them all back to the analyzing engine for one-stop analysis.

The analyzing engine operates by comparing the packet information to known network misuse patterns and decide if they is any potential danger of network attacks.

IDS operates by basing on the network attack signature files that guide the analyzing engine to do the lookup. So it works like anti-virus program, if your pattern file is smart, it works smart. If it is dump, it does not work either. So you need to constantly update and refine the pattern file as per your unique network traffic pattern and usage.

Host Based Intrusion Detection device works by operating itself on a host (usually a server but you can use it on a particular suspicious workstation) and anlayse the host with the Host Based IDS software.

The drawback of Host Based IDS is, thus, the unavoidable modification of the host (because you have to install the IDS software to it) and you need different version of IDS software for different hosts of different OS.

But Host Based IDS can be made to conduct more precise monitoring on the host related suspicious activities and it also achieve a higher level of monitoring (on application level) than Network Based IDS.

There are many myths about IDS. Let’s talk more about this later.