- Ability to use things on the system like logs, system services, registry events, etc.
- By the time the HIDS system detects an attack, it's probably too late
- Uses system resources since it's running on the host.
- Usually a separate box, so it doesn't take any cycles from the system (no additional overhead).
- Good for detecting unauthorized outsider access and bandwidth theft or denial of service attacks.
- Fairly easy to implement
- Doesn't affect the speed of the network
- Most people don't correctly size and plan for traffic growth (Once the NIDS gets overloaded and begins dropping packets, you can't trust anything coming from it)
- Only able to look at packets on the wire and it's unable to see anything like audit records, etc., that would be on a system you're protecting.
- Susceptible to "low and slow" attacks
It's best to use a combination of both NIDS and HIDS. Typically vpn gateways, web, mail, dns, etc., servers cannot handle the additional overhead of HIDS agents. A good strategy is to use a NIDS and something like Tripwire (a System Integrity Verifier) set to a long alert cycle (~24 hours) for lower overhead. These servers are especially important to protect since about 33% of attacks are aimed against these high value servers.