NIDs uses the original network information as the data source, uses the network adapter running in the random mode to monitor and analyze all the communication through the network, collects the relevant information and logs it, while HIDs is usually installed on the detected host and connects with the host's network in real time. Responsible for the intelligent analysis and judgment of the system audit log. If an illegal intrusion or violation of statistical laws is found, IDs will immediately alert the system administrator for decision processing. The traditional advantages of IDs are:
The whole deployment, real-time detection, according to the user's historical behavior model, the expert knowledge stored in the computer and the neural network model, the user's current operation to judge, timely detection of intrusion events;
In the case of intrusion and anomaly, it is necessary to provide a large amount of network activity data, which is helpful to evaluate the integrity of critical resources and data files in ex post intrusion analysis.
Independent of the detected network, it is difficult for hackers to eliminate intrusion evidence, facilitate intrusion tracking and network crime forensics;
The same network segment or a host on the general need to deploy a monitoring point near the monitoring, fast, low cost of ownership.
Let's make a figurative analogy: if the firewall is the door lock of a building, then IDs is the surveillance system in the building. Once a thief climbs the window into the building, or the insider has cross-border behavior, only the real-time monitoring system can detect the situation and issue a warning.
Unlike firewalls, IDS intrusion detection systems are a listening device that does not straddle on any link and can work without network traffic flowing through it. Therefore, the only requirement for the deployment of IDs is that IDs should be hooked up to the link where all the traffic that is concerned must flow. In this case, "attention to traffic" refers to the traffic from high-risk network areas and the need for statistics, monitoring of network messages. In today's network topology, it has been difficult to find a network of previously hub shared media conflict domains, and most of the network areas have been upgraded to a switched network structure. Therefore, the location of IDs in switched networks is generally selected in:
(1) as close as possible to the source of attack
(2) as close to protected resources as possible
These locations are usually:
• On the switch on the server zone
· On the first switch after the Internet access router
• Focus on the protection of the network segment of the LAN switch on
Firewall and IDs can be separated operation, IDS is a pro-control system, you can choose the appropriate, or meet the requirements, such as discovery rules or monitoring is not perfect, you can change the settings and rules, or reset!
In the actual use, most of the current intrusion detection access mode is to use the pass-by way to listen to the data flow on the network, so this restricts the IDs itself blocking function, IDs only by sending block packets to block the current behavior, and IDs blocked range is very small, can only block some of the actions based on TCP, such as Telnet, FTP, HTTP, etc., and for some based on the UDP on the basis of nothing. Because the firewall strategy is set up in advance, unable to dynamically set policy, lack of necessary flexibility for the attack, can not better protect the security of the network, so the IDs and firewall linkage is to more effectively block the attack, so that the network hidden danger to a lower limit.