A Network Intrusion Detection System (NIDS) is a computer software application that can detect and report network security problems by monitoring network or system activities for malicious or anomalous behavior.
How It Works
NIDS works by examining a variety of data points from different sources within the network. Packet headers, statistics, and protocol/application data flows are analyzed to determine whether malicious or anomalous activity has taken place. It can be used to identify possible security breaches on a system including sniffers and attacks on services such as HTTP/S, SMB, SSH etc.
There are two types of Network Intrusion Detection Systems:
Network sensors are often dedicated devices or applications that run exclusively as NIDS. The sensor monitors and analyzes network traffic for malicious behavior. The sensor can be located at various points on the network, depending on where it is needed. For example, a router may have a sensor installed to monitor traffic that passes through the router or a switch could have a sensor that monitors traffic as it passes from one port to another.
Host-based Intrusion Detection Systems
For this type of system, the sensor is software that monitors network traffic from within a single host on the network. In most cases, a host-based IDS is used only to monitor traffic within the local host or a particular service or application. However, in some cases, it may monitor packets as they pass through a firewall from one network to another or it could monitor activity on an entire host running multiple services and applications at once.
Technologies That Can Be Monitored by NIDS
Network Intrusion Detection Systems use one or more technologies to analyze for threats on your network. These can include:
Packet headers contain specific information about the packet being transmitted across your network. Information in the header can include source and destination IP addresses, ports, protocol types, etc. The NIDS will analyze this information for suspicious activity or malicious behavior.
The total packets per second is a common technology used by a NIDS to monitor for threats on your network. This may be a configuration option that you specify when installing a traffic monitoring system on your network. An IDS can compare normal traffic rates, with those being transmitted at any one time across the network, to detect anything out of the ordinary. For example, if there is no heavy traffic on the network, but packets are still being transmitted at a high rate of speed, this could indicate suspicious activity.
Protocols and Applications
Network Intrusion Detection Systems use various types of protocols to monitor for threats on your network. These can include:
- Packet protocols. TCP/IP, UDP/IP, ICMP etc.
- Anomaly-based protocols. This is where an IDS has been programmed to detect anomalies in protocols that are otherwise benign when working normally. For example, if you had a specific protocol that was known to have 50% packet loss during normal operation and a packet loss percentage significantly different from the norm is detected, this would trigger an alarm or alert enabling you to investigate the problem further.
- Data flow analysis. NIDS can analyze data flow throughout the network to determine where a problem may be taking place. For example, if a user suddenly begins transmitting a large amount of data, an IDS will recognize this and alert you to possible security breaches occurring on your network.
Common Types of Network Intrusion Detection Systems
There are five common types of NIDS that can be used to monitor traffic on your network. Each has its own benefits and drawbacks depending on your business needs:
This type of NIDS uses signatures from previously analyzed attacks. It learns which patterns indicate malicious activity so future events with similar characteristics will be detected immediately. Signature-based systems do not need any knowledge about the normal behavior of users or applications to operate.
Stateful Protocol Analysis System
This type of NIDS is similar to a signature-based system in that it learns which patterns indicate malicious activity. Stateful protocol analysis systems differ because they do not need to know what specific attacks look like before they are detected. Instead, it can maintain temporary information about how your network normally operates and will compare new events against the normal traffic rate of existing connections.
This type of NIDS uses behavioral analysis to determine whether any suspicious activity has occurred. If the behavior being analyzed meets certain conditions set by the administrator, an alert will be triggered so appropriate action can be taken in response to malicious activity.
This type of NIDS is similar to the behavior-based system, except that it learns what typical network behavior looks like by analyzing how real connections are established and used over time. The administrator may also need to provide information about which events should trigger alerts if anomalies are detected. This type of system is configured to learn what the normal traffic on your network looks like, which can reduce false-positive rates, however, changes in user computer activity or changes made by new software installations could also trigger false alarms.
This type of NIDS uses heuristics to look beyond attacks with known signatures and analyze them against a set of rules to determine whether any suspicious activity has occurred. The heuristic-based system is capable of detecting advanced attacks without previously knowing what those attacks look like by looking for a combination of characteristics that indicate a possible security issue.
Advantages and Disadvantages of Network Intrusion Detection System
There are several benefits and drawbacks associated with deploying a Network Intrusion Detection System on your organization’s network. Some advantages include:
- Detects known and unknown malware. A NIDS can be configured to detect common types of malware, as well as new or unknown threats, so you will quickly know when hackers have compromised your systems.
- Reduces downtime. Once an intrusion is detected, NIDS immediately shuts down the process and alerts you so you can react quickly to stop further damage.
- Prevents attacks. The NIDS constantly monitors network traffic to identify suspicious activity and block it before hackers are able to gain access to your system.
- Detects compromised devices. A NIDS can detect when a user’s computer has been compromised so, the attacker cannot gain access to other machines on the network or use the compromised machine as an attack vector into other parts of your business’s information technology infrastructure.
Disadvantages associated with deploying the Network Intrusion Detection System include:
- Requires frequent updating. It is important to update your NIDS regularly so it will continue to recognize known threats and keep up with new ones. There are several ways to perform this update; updates are essential to the success of your NIDS.
- Requires extensive configuration. To be most effective, a NIDS must be configured with information about how your network normally operates and what types of activities should trigger an alert. This can require some effort on your part but will ensure that you receive alerts for suspicious behavior or malware only after it has been detected.
- Requires maintenance. Many systems require manual updating and configuration and therefore need constant management by IT staff to be most effective. If you do not have dedicated IT resources available to maintain the system, it may need to be removed from your network until these resources become available.
Network Intrusion Detection System vs. Network Intrusion Prevention System (NIPS)
A NIDS is a passive system that compares the current network traffic against known malware signatures. In contrast, a NIPS actively analyzes the network traffic in real-time and blocks any suspicious activities. It can be configured to prevent an intruder from gaining access to your private information even if it doesn’t have a complete understanding of all possible security threats.
Network Intrusion Detection System vs. Firewall
A firewall is a network security system that controls the incoming and outgoing network traffic by monitoring which computer or IP address is allowed to access other computers on your network. A NIDS analyzes the data packets that are transmitted over your business’s network to identify possible cyber-attacks or malicious activities.
While both systems monitor your private information networks looking for suspicious activity, they do it in different ways. A NIDS performs continuous analysis of all traffic passing through your business’s network looking for known malware signatures, whereas a firewall denies access to specific users and/or IP addresses trying to access your network.
Network Intrusion Detection System vs. Host-Based Intrusion Prevention Systems
A host-based intrusion prevention system monitors and blocks suspicious activity that is taking place on a single computer, whereas a NIDS looks for unusual or suspicious activity across all your business’s computers, servers, and other devices in real-time to identify potential attacks against the entire network. In addition, a NIDS can be configured to automatically react to an attack by shutting down processes, blocking access from compromised machines, and alerting IT staff to the possible presence of malware.
Network Intrusion Detection System vs. Virus Protection
Virus protection software identifies and eliminates computer viruses after they have been downloaded onto your system, whereas NIDS monitor and analyze data packets as they pass through the network to identify suspicious activities that may indicate a security breach.
Network Intrusion Detection System vs. Anti-Virus Software
Both anti-virus software and NIDS work together to automatically scan all incoming and outgoing data and compare it against known malware signatures. At first glance, you might think that these two products do the same thing, but there are subtle differences between them:
Anti-virus software is designed to protect single host computers from attack by locating specific types of malware on those computers; it scans binaries for known malware signatures and flags them as either safe or infected with malware. A NIDS analyzes all the data packets passing through your business’s network to identify signs of an attack; it monitors the network traffic looking for patterns that may indicate suspicious activities such as port scanning or brute force attacks against common services like FTP or Telnet using default usernames and passwords.
A major difference between anti-virus software and NIDS is how they work in practice. Anti-virus software relies on you to update it regularly so it can detect new viruses, whereas most NIDS products are updated automatically overnight without requiring intervention from the user.
Network Intrusion Detection System vs. Anomaly-Based Intrusion Detection System (ABIDS)
An anomaly-based intrusion detection system (ABIDS) works in much the same way that a NIDS does, but it uses statistical analysis to identify unusual activity instead of using signatures to flag suspicious traffic. This form of IDS is most effective against zero-day attacks because it looks for data patterns rather than known malware signatures. ABIDS analyzes all activity taking place on your network and identifies anomalous behavior, whereas NIDS analyzes only network traffic looking for signs of known malicious activities.
ABIDS must process all network data before any activity is flagged as anomalous or suspicious, whereas NIDS only processes the packets that are potentially malicious. Since this form of IDS is more proactive in its monitoring of your network traffic, it can sometimes be more of a drain on your business’s resources than a NIDS.
Network Intrusion Detection System vs. Anomaly-Based Intrusion Prevention system
This form of IDS works in the same way that ABIDS do, but instead of generating alerts they automatically react to anomalies by blocking suspicious activities and shutting down compromised processes on your computers much like a host-based intrusion prevention system would. Since it does not rely on signatures to identify malware it is typically more effective at preventing zero-day attacks because it can react to any suspicious activities detected on your network.
The disadvantage of this form of IDS is that if a false positive occurs, legitimate traffic could be blocked, or processes shut down unnecessarily. This means that its accuracy should be carefully monitored and configured by an experienced security specialist so as not to result in too many false positives which would impact the performance of your business’s computer systems.
Frequently Asked Questions about Network Intrusion Detection Systems
Can a Network Intrusion Detection System tell if a host is infected?
A NIDS cannot detect whether a host has been infected or not. They can, however, help ensure that any anomaly on the network or system level is caught and reported. For example, an IDS would be able to pick up unusual traffic from a host that is suspected to have been compromised without being affected by it themselves.
Where does a Network Intrusion Detection System send its logs?
A NIDS sends its logs directly to the Security Information and Event Management (SIEM) system, syslog servers, or other data input sources depending on how it is configured.
What type of data does a Network Intrusion Detection System collect?
A NIDS can typically detect attacks whether they are occurring on the network or not and will store information such as source/destination IP addresses, time stamps, packet details for each event that is detected. This also includes failed logins or other activity that breaches security policy.
Can a Network Intrusion Detection System replace an Inline Prevention System (IPS)?
No, a NIDS cannot be used as a substitute for an IPS. While both systems perform different functions it’s impossible to combine them into one device because each serves its own purpose. A NIDS stays in line with traffic allowing it to inspect every packet on the network, while an IPS acts against detected attacks.
Are Network Intrusion Detection Systems easy to manage and deploy?
Yes, most networks are already set up to send logs directly to a SIEM or other data inputs. Installing the additional components necessary for a NIDS is usually straightforward and does not require any major changes to the network’s configuration. Although, there are varying degrees of complexity depending on how much security is being implemented. For example, adding IPS capability requires configuring the IDS sensors correctly so that they do not generate too many false positives.
Are Network Intrusion Detection Systems hard to install?
No, setting up a NIDS is typically easy even for beginners because it often only requires following simple guidelines provided by the manufacturer during installation. After all mandatory components are installed, you can begin loading your network’s packet captures to the appliance.
How many Network Intrusion Detection Systems does it take to monitor a network?
Since it may be difficult to determine the actual number of NIDS required for your network, many suggest monitoring as much of the network traffic as possible. This can be done by placing IDS sensors in critical choke points throughout your entire infrastructure or distributing them out evenly across subnets which are then linked up through a SIEM system that centralizes reports generated by each appliance.
Does a Network Intrusion Detection System affect performance?
A NIDS does not usually have any effect on network performance unless there is extremely high traffic. If an alert happens at peak traffic times you might notice some slowdown, but if you input the information at a less busy time it should have almost no effect on performance. If this happens at peak traffic times you might notice some slowdown but if you input the information at a less busy time it should have almost no effect on performance.
How does a Network Intrusion Detection System protect my organization?
A NIDS will help protect your organization by analyzing and detecting malicious network activity. Additionally, they are capable of monitoring user accounts, file integrity, firewall logs, database server log files etc. for signs of suspicious activity, and can alert the security administrator when necessary.