I. Explain the differences between a host-based IDPS and network-based IDPS.
II. Recall that the main purpose of this type of IDPS is to protect the server or host’s information assets.
III. Detail the following description as to what is comprised in a host-based IDPS:
• A host-based IDPS (HIDPS) resides on a particular computer or server, known as the host, and monitors activity only on that system.
• HIDPSs are also known as system integrity verifiers as they benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.
• A HIDPS has an advantage over NIDPS in that it can usually be installed in such a way that it can access information that is encrypted when traveling over the network.
• Most HIDPSs work on the principle of configuration or change management, which means they record the sizes, locations, and other attributes of system files. The HIDPS then triggers an alert when one of the following changes occurs: file attributes change, new files are created, or existing files are deleted.
• A HIDPS relies on the classification of files into various categories and then applies various notification actions, depending on the rules in the HIDPS configuration.
• Managed HIDPSs can monitor multiple computers simultaneously by creating a configuration file on each monitored host and by making each HIDPS report back to a master console system, which is usually located on the system administrator’s computer.
IV. Justify the strengths of a HIDPS:
• A HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.
• A HIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing.
• The use of switched network protocols does not affect an HIDPS.
• An HIDPS can detect inconsistencies in how applications and systems programs were used by examining the records stored in audit logs.
V. Recognize the fact there are some critical flaws with a HIDPS:
• HIDPSs pose more management issues since they are configured and managed on each monitored host and are vulnerable both to direct attacks and to attacks against the host operating system.
• An HIDPS is not optimized to detect multi-host scanning, nor is it able to detect the scanning of non-host network devices, such as routers or switches and are. susceptible to some DoS attacks.
• This option often uses large amounts of disk space to retain the host OS audit logs, and to function properly, it may require disk capacity to be added to the system.
• Finally, these can inflict a performance overhead on its host systems, and in some cases, may reduce system performance below acceptable levels when fully engaged.