NIDS - A Guide To Network Intrusion Detection Systems
Critical cyber defences
Most perceptive business owners understand that cyber security is now more critical than ever and want to put measures in place to prevent malicious attacks. However, knowing which security capabilities should be implemented to ensure a secure network isn't always straightforward. A Network Intrusion Detection System (NIDS) is one such technology that should be a part of any effective security system.
In this guide, you will gain a better understanding of NIDS, what it does and how it compares against similar security technologies. But before we discuss NIDS, we should define what intrusion detection systems (IDS) are.
Intrusion Detection Systems (IDS)
An intrusion detection system is designed to continually monitor a network or host device to detect threats. Any suspicious activity or security policy violation that is flagged will be reported to the system administrator.
As a basic analogy, you can compare an intrusion detection system to an alarm system in a building used for physical security. When the alarm goes off, it indicates that potentially some sort of malicious activity is occurring. However, the alarm doesn't actually provide security in and of itself, and this is the same with IDS -- it just identifies the threat and reports it. They can also both report false alarms and be bypassed by malicious attackers with the right tools and knowledge.
There are two types of IDS: NIDS, a network-based intrusion detection system and HIDS, a host-based intrusion system. In this guide, we focus on NIDS, but we will look at host intrusion detection to compare the two.
What is a Network-Based Intrusion Detection System?
A Network-Based Intrusion Detection System (NIDS) monitors network traffic patterns to detect suspicious activity. Sensors are placed at strategic chokepoints, such as the DMZ or behind a firewall analysing each individual packet (inbound and outbound) for malicious activity. It is crucial to consider where the sensors are placed to allow them the most visibility. A single sensor can monitor several hosts, but multiple NIDS might be required depending on the amount of traffic going to and from all network devices.
If abnormal traffic is found, the NIDS will send an alert to the administrator to investigate. Abnormal behaviour could include network-level Denial of Service attacks, port scanning, or a sharp increase in network traffic.
What are The Pros and Cons of NIDS?
Advantages of NIDS
Challenges of NIDS
How Network-Based Intrusion Detection Systems Work
Signature-based Intrusion Detection System
Anomaly-Based Intrusion Detection System
Anomaly-based NIDS work in a different way that complements the signature-based method. Rather than looking for a known signature, it monitors network traffic, using AI and machine learning to understand what is 'normal traffic' through such methods as statistical analysis. Once it has learned what represents normal behaviour, it can identify abnormal behaviour more efficiently and send a report once detected.
Signature-based NIDS tend to be the more reliable of the two, providing less false-positive results, as the potential threats are based on known signatures. However, Anomaly-based NIDS have the advantage of being able to identify unknown threats such as zero-day attacks that would be impossible to detect by signature-based systems. Most NIDS combine both anomaly-based and signature-based detection to establish a complete system.
HIDS vs NIDS
The two types of intrusion detection systems are host-based and network-based. A Host-based Intrusion Detection System (HIDS) is installed on a single host such as a computer, server or other endpoints in contrast to NIDS which is installed across a network.
The advantage of a Network Intrusion Detection System is that they can secure a large number of devices from a single network location. For most enterprises, this is the easiest of the two to deploy and the least expensive option. In contrast, a HIDS needs to be deployed and managed for each host on the network.
NIDS are also quicker to respond to potential threats than HIDS, as they are monitoring packet headers going across the network in real-time. This isn't to say that HIDS are ineffective; they excel in identifying insider threats such as detecting file permission changes.
HIDS will provide a second line of defence detecting attacks that NIDs might have failed to spot. For this reason, using both in conjunction would be the most robust IDS strategy.
What's The Difference Between NIDS and NIPS?
Intrusion detection systems, NIDS and HIDS, are designed to monitor, detect and report suspicious activity. Intrusion Prevention Systems (IPS) will scan for malicious activity and take steps to block the action from occurring. So, to put it simply, NIDS are deployed on a network passively to identify threats, a NIPS (Network-based Intrusion Prevention System) will attempt to stop the attack.
The reason that some enterprises prefer NIDS rather than NIPS is that when a NIPS flags events as false positives, in other words, normal activity erroneously detected as an attack will block this normal traffic. If this occurs regularly, it can negatively impact a business. In contrast, NIDS will alert the system administrator of the false-positive who would validate that it is normal activity.
The best solution is for a business to deploy both intrusion detection and prevention capabilities to monitor, detect and prevent network security threats.
NIDS and Firewalls
Firewalls and NIDS share the commonality in that they can both be deployed as security solutions to protect a network. However, NIDS passively monitors for potential cyber threats and alerts someone to deal with the reported incident. NIDS, as we've previously discussed, offers no protection to the network. A firewall is more similar to an intrusion protection system and blocks or allows network traffic based upon a set of predefined security rules.
Many of the Next Generation Firewalls (NGFW) have additional integrated features such as IDS and IPS, making them a much more sophisticated cyberthreat solution beyond the traditional firewall.
It should be understood that a Network Intrusion Detection System isn't a standalone solution that will protect your business from cyber-attacks. Instead, NIDS should be one part of a comprehensive suite of security tools to safeguard and countermeasure against malicious threats. These will typically include; anti-virus, firewalls, and both IDS and IPS.
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.