Advantages:
Disadvantages:
- the sensors can be secured well as they "only" observe traffic
- you can detect scans better - on the basis of signatures... You can "filter" traffic (actually, we will show later that this is not always the case)
Disadvantages:
- the probability of so called false negatives (attacks are not detected as attacks) is high as it is difficult to control the whole network
- mostly, they have to operate on encrypted packets where analysis of packets is complicated
- as a difference to host-based IDS they do not see the impacts of an attack