NIDS - A Guide To Network Intrusion Detection Systems

Joe A. J. Beaumont Headshot
Written by Joe A. J. Beaumont  Security Blogger

09/04/2021

Critical cyber defences

Most perceptive business owners understand that cyber security is now more critical than ever and want to put measures in place to prevent malicious attacks. However, knowing which security capabilities should be implemented to ensure a secure network isn't always straightforward. A Network Intrusion Detection System (NIDS) is one such technology that should be a part of any effective security system.

In this guide, you will gain a better understanding of NIDS, what it does and how it compares against similar security technologies. But before we discuss NIDS, we should define what intrusion detection systems (IDS) are.

You can compare an intrusion detection system to an alarm system in a building used for physical security.

Intrusion Detection Systems (IDS)

An intrusion detection system is designed to continually monitor a network or host device to detect threats. Any suspicious activity or security policy violation that is flagged will be reported to the system administrator.

As a basic analogy, you can compare an intrusion detection system to an alarm system in a building used for physical security. When the alarm goes off, it indicates that potentially some sort of malicious activity is occurring. However, the alarm doesn't actually provide security in and of itself, and this is the same with IDS -- it just identifies the threat and reports it. They can also both report false alarms and be bypassed by malicious attackers with the right tools and knowledge.

There are two types of IDS: NIDS, a network-based intrusion detection system and HIDS, a host-based intrusion system. In this guide, we focus on NIDS, but we will look at host intrusion detection to compare the two.

Cyber icons with a finger pressing on the 'hacking detected' icon

What is a Network-Based Intrusion Detection System?

A Network-Based Intrusion Detection System (NIDS) monitors network traffic patterns to detect suspicious activity. Sensors are placed at strategic chokepoints, such as the DMZ or behind a firewall analysing each individual packet (inbound and outbound) for malicious activity. It is crucial to consider where the sensors are placed to allow them the most visibility. A single sensor can monitor several hosts, but multiple NIDS might be required depending on the amount of traffic going to and from all network devices.

If abnormal traffic is found, the NIDS will send an alert to the administrator to investigate. Abnormal behaviour could include network-level Denial of Service attacks, port scanning, or a sharp increase in network traffic.


What are The Pros and Cons of NIDS?

Network Intrusion Detection offers a range of security options, but it has its flaws, just like any other security solution.

Advantages of NIDS

  • NIDS can easily be deployed into an existing network with little disruption.
  • They can detect real-time events, allowing them to log evidence of an attack that the malicious actor might have tried to remove.
  • A network intrusion system can analyse the different types and number of attacks. The data gathered can then be used to enforce more effective security controls and identify network device configuration issues.
  • Increased network visibility makes it easier to meet specific compliance requirements for IT security.

Challenges of NIDS

  • A network intrusion detection system only helps to expose attacks, not to prevent or stop them. For this reason, NIDS must be combined with other security measures to provide a comprehensive cybersecurity strategy.
  • NIDS can't analyse encrypted packets.
  • Network Intrusion detection systems can't easily recognise certain types of attack, for instance, if using fragmented packets.
  • NIDS need an experienced systems administrator to oversee and monitor them, who has the necessary understanding to take action on any threat. They will also need to be on hand to respond to frequent false positives.
Cybercriminals can often avoid detection from signature-based IDS by modifying threat intrusion patterns, or by encryption.

How Network-Based Intrusion Detection Systems Work

There are two types of NIDS: one works by detecting signatures of known attacks and the other identifying anomalies from normal behaviour.

Signature-based Intrusion Detection System

Signature-based IDS monitor network traffic and attempt to match them against a known database of IOCs (Indicators Of Compromise). If any traffic activity corresponds to a known attack signature, such as a malicious domain, specific network attack behaviour, known malicious IP address, or email subject line, it will alert the system administrator. A significant limitation of signature-based NIDS is that malicious actors never sleep; they are always looking to stay one step ahead of the game. The signature database must be regularly updated with a list of known indicators of compromise. Also, cybercriminals can often avoid detection from signature-based IDS by modifying threat intrusion patterns, or by encryption.

Anomaly-Based Intrusion Detection System

Anomaly-based NIDS work in a different way that complements the signature-based method. Rather than looking for a known signature, it monitors network traffic, using AI and machine learning to understand what is 'normal traffic' through such methods as statistical analysis. Once it has learned what represents normal behaviour, it can identify abnormal behaviour more efficiently and send a report once detected.

Signature-based NIDS tend to be the more reliable of the two, providing less false-positive results, as the potential threats are based on known signatures. However, Anomaly-based NIDS have the advantage of being able to identify unknown threats such as zero-day attacks that would be impossible to detect by signature-based systems. Most NIDS combine both anomaly-based and signature-based detection to establish a complete system.

A person at a desk monitoring network activity on screens

HIDS vs NIDS

The two types of intrusion detection systems are host-based and network-based. A Host-based Intrusion Detection System (HIDS) is installed on a single host such as a computer, server or other endpoints in contrast to NIDS which is installed across a network.

The advantage of a Network Intrusion Detection System is that they can secure a large number of devices from a single network location. For most enterprises, this is the easiest of the two to deploy and the least expensive option. In contrast, a HIDS needs to be deployed and managed for each host on the network.

NIDS are also quicker to respond to potential threats than HIDS, as they are monitoring packet headers going across the network in real-time. This isn't to say that HIDS are ineffective; they excel in identifying insider threats such as detecting file permission changes.

HIDS will provide a second line of defence detecting attacks that NIDs might have failed to spot. For this reason, using both in conjunction would be the most robust IDS strategy.

The two types of intrusion detection systems are host-based and network-based.

What's The Difference Between NIDS and NIPS?

Intrusion detection systems, NIDS and HIDS, are designed to monitor, detect and report suspicious activity. Intrusion Prevention Systems (IPS) will scan for malicious activity and take steps to block the action from occurring. So, to put it simply, NIDS are deployed on a network passively to identify threats, a NIPS (Network-based Intrusion Prevention System) will attempt to stop the attack.

The reason that some enterprises prefer NIDS rather than NIPS is that when a NIPS flags events as false positives, in other words, normal activity erroneously detected as an attack will block this normal traffic. If this occurs regularly, it can negatively impact a business. In contrast, NIDS will alert the system administrator of the false-positive who would validate that it is normal activity.

The best solution is for a business to deploy both intrusion detection and prevention capabilities to monitor, detect and prevent network security threats.

Yellow Padlock on a shield with network lines behind

NIDS and Firewalls

Firewalls and NIDS share the commonality in that they can both be deployed as security solutions to protect a network. However, NIDS passively monitors for potential cyber threats and alerts someone to deal with the reported incident. NIDS, as we've previously discussed, offers no protection to the network. A firewall is more similar to an intrusion protection system and blocks or allows network traffic based upon a set of predefined security rules.

Many of the Next Generation Firewalls (NGFW) have additional integrated features such as IDS and IPS, making them a much more sophisticated cyberthreat solution beyond the traditional firewall.


Final Thoughts

It should be understood that a Network Intrusion Detection System isn't a standalone solution that will protect your business from cyber-attacks. Instead, NIDS should be one part of a comprehensive suite of security tools to safeguard and countermeasure against malicious threats. These will typically include; anti-virus, firewalls, and both IDS and IPS.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.