NID(P)S, or Networking Intrusion (Prevention)/Detection systems are used by a security team for general network security monitoring. They work by passively monitoring (or actively gating, in the NIPS case) network traffic and applying rules or signatures to trigger alerts.

Advantages

  • Easy to deploy: Unlike endpoint devices, they can be placed at strategic network points (such as egress) and do not require access to endpoints to install software in order to do monitoring, so they are good for detecting threats when no endpoint monitoring is in place, such as rogue devices coming online.
  • Wide coverage: NIDS monitoring is also suitable for threats on devices you can’t install endpoint security monitoring on due to performance reasons or lack of viable monitoring product (e.g., a mobile device, printer, or a network switch).

Disadvantages

  • They can’t see much about encrypted traffic (other than metadata), so certain threats can be difficult to identify.
  • Often logs from the endpoint itself (such as process activity logs, event logs, and other metadata) or forensics is required to confirm an intrusion.
  • It is difficult to make NIDS scale well under high performing networks with a lot of signatures/rules, so a security team on enterprise networks must carefully “tune” these devices to only load the signatures and rules that apply to them, and will not generate false positives.
  • By default, without tuning, these devices can generate a lot of false positives or low-priority alerts that can be noisy for a security team to handle.

Other

  • Increasingly, network analytics products are also being used for anomaly detection in addition to signature- based network monitoring.
  • Alerts from these devices are often correlated using a SIEM, Log Managment, or similar solution to provide more context around an alert (for example, all alerts for the same IP address within a time frame can be handled with more accuracy than a single alert at a point in time).

Example NIDS

OSS/Free

  • Snort – One of the first traditional signature based NIDS. OSS, but commercial version sold by Sourcefire.
  • Suricata – Popular OSS IDS / IPS / NSM engine but also has other network protocol analysis / IPS capabilities.
  • Bro – OSS. Not a traditional NIDS, but can craft alerts based on protocol analysis and custom scripts.