What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A.
They do not use host system resources.
B.
They are placed at the boundary, allowing them to inspect all traffic.
C.
They are easier to install and configure.
D.
They will not interfere with user interfaces.
A – is the least bad answer
B – Unless one configured a TAP / SPAN port, the firewall will only “see” traffic routed though it (e.g. inter-zone traffic)
C – There is an argument to be made for NGFW being easier to install and operate than an HIPS system. Clients are such a PITA.
If an organization only has one or the other, evasion is easier for the attacker.
So far I have only seen one organization this year that properly manages HIPS.
Is B the correct one?