Name?

[IS3220
UNIT 4 DISCUSSION 1:
Mr. ?

HOST-BASED VS. NETWORKBASED IDS/IPS]

Host-Based vs.
Network-based IDSs/IPSs

Name?
IS3220
19 Jan 2014

The use of HIDS and NIDS on a network can be beneficial for an organization but it can
also hinder operations greatly. If the constraints are so restrictive that nothing can come or go on
the network it just brings everything to a screeching halt and just the other extreme of the
spectrum of that is having settings to lax that you create a risk of attacks to your network. As an
administrator it is vital that you capture a baseline of the organizations normal and peak time
network traffic as a starting point for tuning and training any HIDS/NIDS that may be part of
your network. Below are questions that are aimed at getting the administrator to think when
configuring HIDS/NIDS and the effect it has on a system and network.
1. What types of resources are consumed during the tuning/training phase of an
intrusion system?
Answer: The resources that are consumed are the Processor, Memory is exhausted,
Productivity of users is affected, and there is expense and loss of Staff hours.
2. What are some causes of resource consumption by an HIDS or NIDS?
Answer: The causes of consumption of resources are; incorrect tuning/training, false
negative and positives, to many concurrent connections exceeding the buffer or
memory, and a combination of antivirus software and a HIDS installed on the same
system that cant handle the processing power required.
3. What types of resources can be consumed on an NIDS?
Answer: The NIDS can consume the CPU by overloading, and the NIDS memory can
be exhausted.
4. What are the implications of resource consumption?
Answer: The implications include; exceeding the buffer or memory limit which can
result in errors, the same packets being examined many times or some packets not
being examined (being dropped), in extreme cases the NIDS can also crash, and
networks are left at risk or unprotected.
5. What type of techniques or methods can help prevent problems with HIDS or NIDS?
Answer: Some techniques or methods that can help prevent problems are; you can
specify a maximum number of concurrent connections and once the maximum is

Host-Based vs.
Network-based IDSs/IPSs

Name?
IS3220
19 Jan 2014

reached the NIDS flushes the state of some connections to reuse them, some
problems can be avoided with proper planning and testing before implementing new
products on production computers, ensure proper tuning/training of a HIDS/NIDS
will help prevent DoS and other attacks, and creating a baseline of what the normal
traffic flow and peak times are like on your network in order to tune/train the
HIDS/NIDS properly will all help prevent problems.