Guidelines on Securing Public Web Servers
based IDSs may not detect some network based attacks such as certain DoS attacks
[NIST01b]. If a host based IDS is on a Web server that is compromised, it is very likely that
the attacker will also compromise the IDS itself.
Network based IDS are implemented as protocol analyzers with the capability to recognize
particular events. These devices monitor all network traffic on a network segment, scrutinizing
it for signs of attack or penetration attempts. Most network IDSs rely on predefined attack
signatures to detect and identify attacks. Attack signatures are a series of events that usually
indicate that a particular attack or penetration attempt is in progress. When the IDS detects a
series of events that matches one of its attack signatures, it assumes that an attack is in progress
and notifies the network administrator.
Unlike host based IDSs, network based IDSs can monitor multiple hosts and even multiple
network segments simultaneously. They can usually detect more network based attacks and
can more easily provide a comprehensive picture of the current attacks against a network.
Because network based IDS are installed on a dedicated host, they do not have a negative
effect on the performance of the Web server and are not immediately compromised by a
successful attack on the Web server.
Network based IDSs have some limitations. The timing of an attack can have a significant
impact on the ability of a network based IDS to detect an attack. For example, if an intruder
spreads out the timing of the attack, it may not be detected by the IDS. In addition, the attacker
can format the method of the attack (e.g., fragment packets, alter attack pattern so that it does
not match the attack signature) so that it is not recognized by the network based IDS.
Network configuration, especially the use of switches (see Section 8.2.3), can have a negative
impact on the ability of a network based IDS to detect attacks. Network based IDS are also
more susceptible to being disabled by DoS attack (even those not directly targeted at the IDS).
Both host based IDSs and network based IDSs share some weaknesses. The most significant
weakness is no IDS can detect all, or, often, most, of the attacks that exist today. Furthermore,
IDSs require frequent updates to their attack signature databases in order to recognize new
attacks. An IDS that is not updated frequently will fail to recognize the latest (and often most
popular) attacks.
The following applications have some IDS capabilities and are a useful complement to an IDS
although they are not considered to be IDSs.
Honey Pot
is a host(s) that is (are) placed on a network for the strict purpose of
attracting and detecting intruders. A honey pot may divert an attacker's attention from
the real information system resources and allow an organization to monitor the
attacker's actions without risking real organizational information and resources.
The real benefit of a honey pot is that since, by definition, it is not used for anything
other than detecting attackers, there is a high probability that any network traffic or log
entries are an indicator of malicious activity. The danger of a honeypot is that if it is
73