Which of the following statements is true regarding a HIDS? (Select the best answer.)
- It can monitor the network for port scans.
- It can identify spoofing attacks.
- It can analyze OSspecific protocols, such as SMB.
- It can delay packets during reassembly.
A Hostbased Intrusion Detection System (HIDS) can analyze operating system (OS)specific protocols, such as Server Message Block (SMB). Intrusion Detection Systems (IDSs) are primarily used for monitoring network traffic and do not sit inline with traffic flow. Because IDS devices do not sit inline, they do not delay the flow of packets during reassembly and analysis. A HIDS can be used to monitor traffic on a single host, whereas a Networkbased IDS (NIDS) can be used to monitor all network traffic.
A hostbased solution, such as a HIDS or a Hostbased Intrusion Preventions System (HIPS), has direct access to the host OS and can typically understand OSspecific protocols and applications based on the behavior identified in kernellevel audit trails. By contrast, a networkbased solution, such as a NIDS or a Networkbased IPS (NIPS), has limited information about the host OS and its applications.
The detailed information about a particular host, its applications, and its behaviors enables a HIDS to implement policies that can be tailored to the host and that can be much more restrictive than policies implemented by a NIDS, most of which implement policies that impact the entire network. In addition, a HIDS can analyze traffic from encrypted sessions that are initiated by or terminated on the host.
By contrast, a NIDS does not have access to OSspecific information and cannot analyze OSspecific protocols and applications. However, because a NIDS is not installed on a single host, it can gather intelligence about threats such as port scans and spoofing attacks, which can affect multiple hosts throughout the network. In addition, because a NIDS is not installed on a host, it is immune to attacks that might compromise a host and its HIDS.