Choosing Between Host and Network Intrusion Detection System

Regarding to the deployment of IDS on the public cloud there are two cases. The first one is when we own the cloud the other one is if we borrow someone else’s cloud. As for the first there are two types of network, one is the internal network and the other one is public network where those from the Internet can normally access the network. The structure of the network depends on the administrators but usually the internal and outside network are separated by demilitarized zone (DMZ). The public servers (where users from thy e Internet access) should be equipped with tight security. The most common one is the firewall on the end of the public network and antivirus on each servers. To complete the security intrusion detection system (IDS) or intrusion prevention system (IPS) should be equipped. But which type of IDS should be placed? Host based or network based, signature based or anomaly based? A hybrid of signature and anomaly based is best for my opinion but whether using a host base IDS (HIDS) or network base IDS (NIDS) is something to think hard off, and this greatly depends on the network architecture and the urgency of the situation. This is the seventh assignment from my Masters Advanced Network Security Course which has never been published anywhere and I, as the author and copyright holder, license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell on condition to state my name as the author and notify that the original and open version available here.

Using the HIDS is very affective because (1) can protect important servers (2) can monitor encrypted communications (3) distributed resource used. Even though all servers are part of the network but amongst them they have different scale of importance. A server that offers services as online shopping, e-learning, community are most likely to be attacked because not only contains important informations, it’s very popular. For this case (1) is the reason we should deploy HIDS. Sometimes even NIDS needs to be equipped with HIDS because attacks could directly aim for NIDS. For (2) case it’s convenient because HIDS is not affected by encryptions because the encrypted packet is alway decrypted on the end of the server. NIDS on the other hand must cope with encrypted communications. For (3) each hosts uses IDS so the resource consumed is…