MS Partner logo

Why host-based intrusion detection as opposed to network-based?

The information in this article applies to:

  • GFI EventsManager 2010
  • GFI EventsManager 7
  • GFI EventsManager 8
  • GFI LANguard Security Event Log Monitor 3
  • GFI LANguard Security Event Log Monitor 4
  • GFI LANguard Security Event Log Monitor 5

Article ID: KBID001591

Query keywords: intrusion detection

Network-based intrusion detection systems work by sniffing network traffic. Switches, traffic encryption (IPsec and SSL) and the sheer high speed of today's networks make network-based IDS products "go blind" easily. This makes traditional intrusion detection systems (IDS) difficult to deploy in modern networks.

In addition, network-based IDS tools can only look at the bytes of packets sent over the network and therefore can only monitor for attacks/patterns recognizable at the network level - a system that is soon outdated as these patterns are constantly changing. Only a host-based IDS can monitor attacks within the context of operating system objects like user accounts, groups and files.