A network intrusion detection system (NIDS) can be an integral part of an organization’s security, but they are just one aspect of many in a cohesive and safe system. They have many great applications, but there are also weaknesses that need to be considered. It is important to compare an NIDS against the alternatives, as well as to understand the best ways to implement them.

What Is an Intrusion Detection System?

Intrusion detection systems are a lot like fire alarms. Just as a fire alarm detects smoke, an intrusion detection system idenitifies incidents and potential threats. They are incredibly useful for raising awareness, but if you don’t hear the alarm or react appropriately, your house may burn down.

While a firewall is there to keep out malicious attacks, an IDS is there to detect whether someone or something is trying up to suspicious or nefarious activity. When it detects something, it notifies the system administrator.

An IDS is a visibility tool that sits off to the side of the network and monitors traffic. It consists of a management console and sensors. When the sensors encounter something that matches up to a previously detected attack signature, they report the activity to the console. An IDS can notify security personnel of infections, spyware or key loggers, as well as accidental information leakage, security policy violations, unauthorized clients and servers, and even configuration errors.

Intrusion Detection Systems vs. Intrusion Prevention Systems (IPS)

An IPS is similar to an IDS, except that they are able to block potential threats as well. They monitor, log and report activities, similarly to an IDS, but they are also capable of stopping threats without the system administrator getting involved. If an IPS is not tuned correctly, it can also deny legitimate traffic, so they are not suitable for all applications.

Network Intrusion Detection Systems vs. Host Intrusion Detection Systems (HIDS)

An NIDS and an HIDS are complementary systems that differ by the position of the sensors: network-based (monitoring the ethernet or WiFi) and host-based, respectively. Because of this, their uses and deployment are quite different.

Network-based sensors have a quicker response than host-based sensors and they are also easier to implement. An NIDS doesn’t need to alter the existing infrastructure and they monitor everything on a network segment, regardless of the target host’s operating system. As they do not need software loaded and managed at the different hosts in the network, they have a lower cost of setup and ownership.

An NIDS can detect attacks that an HIDS will miss because it looks at packet headers in real-time. In saying this, an HIDS will also be able to pick up some things that an NIDS will miss, such as unauthorized users making changes to the system files. An HIDS monitors event and audit logs, comparing new entries to attack signatures. This is resource intensive, so your organization will need to plan for the additional hardware required.

Another benefit of an NIDS is that they detect incidents in real-time, meaning that they can log evidence that an attacker may otherwise try to erase. While the real-time detection abilities of an NIDS allow for quicker responses, they also turn up more false positives than an HIDS. Hybrid NIDS and HIDS solutions that combine aspects of both systems are also available and can be useful in different scenarios.

Pros of Network Intrusion Detection Systems:

They Can Be Tuned to Specific Content in Network Packets

Firewalls may be able to show you the ports and IP addresses that are used between two hosts, but in addition a NIDS can be tuned to show you the specific content within the packets. This can be used to for uncovering intrusions such as exploitation attacks or compromised endpoint devices that are part of a botnet.

They Can Look at Data in the Context of the Protocol

When an NIDS performs protocol analysis, it looks at the TCP and UDP payloads. The sensors can detect suspicious activity because they know how the protocols should be functioning.

They Can Qualify and Quantify Attacks

An IDS analyzes the amount and types of attacks. This information can be used to change your security systems or implement new controls that are more effective. It can also be analyzed to identify bugs or network device configuration problems. The metrics can then be used for future risk assessments.

They Make It Easier to Keep Up With Regulation

Because an IDS gives you greater visibility across your network, they make it easier to meet security regulations. You can also use your IDS logs as part of the documentation to meet certain requirements.

They Can Boost Efficiency

Because IDS sensors can detect network devices and hosts, they can inspect the data within the network packets and identify the services or operating systems that are being utilized. This saves a lot of time when compared to doing it manually. An IDS can also automate hardware inventories, further reducing labor. These improved efficiencies can help to reduce an organization’s staff costs and offset the cost of implementing the IDS.

Cons of Network Intrusion Detection Systems:

They Will Not Prevent Incidents By Themselves

An IDS does not block or prevent attacks, they merely help to uncover them. Because of this, an IDS needs to be part of a comprehensive plan that includes other security measures and staff who know how to react appropriately.

An Experienced Engineer Is Needed to Administer Them

An IDS is immensely helpful for monitoring the network, but their usefulness all depends on what you do with the information that they give you. Because detection tools don’t block or resolve potential issues, they are ineffective at adding a layer of security unless you have the right personnel and policy to administer them and act on any threats.

They Do Not Process Encrypted Packets

An IDS cannot see into encrypted packets, so intruders can use them to slip into the network. An IDS will not register these intrusions until they are deeper into the network, which leaves your systems vulnerable until the intrusion is discovered. This is a huge concern as encryption is becoming more prevalent to keep our data secure.

IP Packets Can Still Be Faked

The information from an IP packet is read by an IDS, but the network address can still be spoofed. If an attacker is using a fake address, it makes the threat more difficult to detect and assess.

False Positives Are Frequent

One significant issue with an IDS is that they regularly alert you to false positives. In many cases false positives are more frequent than actual threats. An IDS can be tuned to reduce the number of false positives, however your engineers will still have to spend time responding to them. If they don’t take care to monitor the false positives, real attacks can slip through or be ignored.

They Are Susceptible to Protocol Based Attacks

An NIDS analyzes protocols as they are captured, which means that they face the same protocol based attacks as network hosts. An NIDS can be crashed by protocol analyzer bugs and also invalid data.

The Signature Library Needs to Be Continually Updated to Detect the Latest Threats

An IDS is only as good as its signature library. If it isn’t updated frequently, it won’t register the latest attacks and it can’t alert you about them. Another issue is that your systems are vulnerable until a new threat has been added to the signature library, so the latest attacks will always be a big concern.

More Reading and Other Resources

Intrusion Detection Systems