Magazine article Security Management

Selecting a Site for the Software Sentry

Magazine article Security Management

Selecting a Site for the Software Sentry

Article excerpt

Electronic intrusion systems can be host-based or network-based, but the right choice may not be an either-or decision.

NETWORK SECURITY IS A DYNAMIC PROCESS IN WHICH SYSTEM administrators must be equipped to constantly monitor and respond to suspicious activity. Intrusion detection systems are an increasingly popular solution. The market for these products grew from [dollar]40 million in 1997 to [dollar]100 million in 1998, according to the International Computer Security Association.

Today, end users have several choices. Traditional intrusion detection systems take either a host-based or a network-based approach to identifying and averting malicious attacks. A host-based IDS is placed on the specific existing servers that management considers most in need of protection. A company can expect to pay from [dollar]500 to [dollar]l,000 per server for a host-based system.

A network-based IDS is software that is installed on a dedicated computer attached to the network. It uses sensors to listen to network traffic in real time looking for signs of malicious content. Because it requires dedicated hardware and protects more systems, it is typically more expensive than a host-based system.

The dedicated computer can run [dollar]1,000 to [dollar]2,000. The sensors can total from [dollar]8,000 to [dollar]25,000 each. The standard is to deploy a sensor at every access point on the network, from the Internet connection to the dial-up modem pool. In addition, the management station, the location to which the sensors send information to be evaluated and from which reports are generated, may range from no fee (if it's part of a package deal) to [dollar]10,000.

Both host-based and network-based systems work by searching for attack signatures, specific patterns in the data stream that usually indicate that an attack or exploit is occurring. Which system males the most sense for an organization? Network administrators are discovering that both systems have unique strengths and weaknesses and that they work best in tandem. Provided a com any has the requisite resources to do so, combining the technologies offers a greater level of protection than either system provides alone.

Host-based. As mentioned, host-based IDS is software that is installed on each server that needs protection. The primary difference between the host-based and network-based solutions is the data source, that is, the location from which each system derives the information used to conclude that an attack is underway. Host-based intrusion detection systems primarily use audit logs from the operating system.

Pros. Because audit logs contain information about events that have already transpired, host-based systems are able to determine the success of a security breach with more detail and accuracy than a network-based system.

In a typical scenario, a host-based IDS monitors system, event, and security logs on Windows NT and UNIX platforms. If changes to these operating systems are detected--for example, the system points out that a sensitive program has been modified--then the detection system compares the updated log entry to attack signatures stored in the system's database. If they resemble each other, the system responds by sending the administrator an alert and taking other prescribed actions.

Host-based detection systems are also able to monitor specific system activities, such as file accesses and attempts to install executables or access-privileged services. In addition, these systems track activities that should only be executed by authorized personnel, such as an administrator.

In essence, the host-based system is oriented toward activity that occurs at the user level, much of which can't be detected by a network-based system. So, for example, it is able to catch insider misuse, such as someone with limited privileges trying to access a sensitive file. It is also able to trace misuse back to the specific user. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.