A network-based intrusion detection system (NIDS) monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

NIDSs typically perform most of their analysis at the application layer such as HTTP, DNS, FTP, SMTP, and SNMP. They also analyze activity at the transport and network layers both to identify attacks at those layers and to facilitate the analysis of the application layer activity (e.g., a TCP port number may indicate which application is being used). Some NIDSs also perform limited analysis at the hardware layer.

A typical NIDS is composed of sensors, one or more management servers, multiple consoles, and optionally, one or more database servers (if the NIDS supports their use). All of these components are similar to other types of IDS technologies, except for the sensors. An NIDS sensor monitors and analyzes network activity on one or more network segments. The network interface cards that will be performing monitoring are placed into promiscuous mode, which means that they will accept all incoming packets that they see, regardless of their intended destinations. Most IDS deployments use multiple sensors, with large deployments having hundreds of sensors.

Sensors are available in two formats:

Appliance

An appliance-based sensor consists of specialized hardware and sensor software. The hardware is typically optimized for sensor use, including specialized NICs and NIC drivers for efficient capture of packets, and specialized processors or other hardware components that assist in analysis. Parts or all of the IDS software might reside in firmware for increased efficiency. Appliances often use a customized, hardened OS that administrators are not intended to access directly.

Software Only

Some vendors sell sensor software without an appliance. Administrators can install the software onto hosts that meet certainspecifications. The sensor software might include a customized OS or it might be installed onto a standard OS just as any other application would.

Organizations should consider using management networks for their NIDS deployments whenever feasible. If an IDS is deployed without a separate management network, organizations should consider whether or not a VLAN is needed to protect the IDS communications.

In addition to choosing the appropriate network for the components, administrators also need to decide where the IDS sensors should be located. Sensors can be deployed in one of two modes:

Inline

An inline sensor is deployed so that the network traffic it is monitoring must pass through it, much like the traffic flow associated with a firewall. In fact, some inline sensors are hybrid firewall/IDS devices, while others are simply IDSs. The primary motivation for deploying IDS sensors inline is to enable them to stop attacks by blocking network traffic. Inline sensors are typically placed where network firewalls and other network security devices would be placed—at the divisions between networks, such as connections with external networks and borders between different internal networks that should be segregated. Inline sensors that are not hybrid firewall/IDS devices are often deployed on the more secure side of a network division so that they have less traffic to process. Sensors can also be placed on the less secure side of a network division to provide protection for and reduce the load on the dividing device, such as a firewall.

Passive

A passive sensor is deployed so that it monitors a copy of the actual network traffic; no traffic actually passes through the sensor. Passive sensors are typically deployed so that they can monitor key network locations, such as the divisions between networks, and key network segments, such as activity on a DMZ subnet. Passive sensors can monitor traffic through various methods, including the following:

Spanning Port

Many switches have a spanning port, which is a port that can see all network traffic going through the switch. Connecting a sensor to a spanning port can allow it to monitor traffic going to and from many hosts. Although this monitoring method is relatively easy and inexpensive, it can also be problematic. If a switch is configured or reconfigured incorrectly, the spanning port might not be able to see all the traffic. Another problem with spanning ports is that their use can be resource-intensive; when a switch is under heavy loads, its spanning port might not be able to see all traffic or spanning might be temporarily disabled. Also, many switches have only one spanning port, and there is often a need to have multiple technologies, such as network monitoring tools, network forensic analysis tools, and other IDS sensors, to monitor the same traffic.

Network Tap

A network tap is a direct connection between a sensor and the physical network media itself, such as a fiber-optic cable. The tap provides the sensor with a copy of all network traffic being carried by the media. Installing a tap generally involves some network downtime, and problems with a tap could cause additional downtime. Also, unlike spanning ports, which are usually already present throughout an organization, network taps need to be purchased as add-ons to the network.

IDS Load Balancer

An IDS load balancer is a device that aggregates and directs network traffic to monitoring systems, including IDS sensors. A load balancer can receive copies of network traffic from one or more spanning ports or network taps and aggregate traffic from different networks (e.g., reassemble a session that was split between two networks). The load balancer then distributes copies of the traffic to one or more listening devices, including IDS sensors, based on a set of rules configured by an administrator. The rules tell the load balancer which types of traffic to provide to each listening device.

NIDS products provide a wide variety of security capabilities. Some NIDSs offer limited information gathering capabilities, which means that they can collect information on hosts and the network activity involving those hosts. NIDSs typically perform extensive logging of data related to detected events. This data can be used to confirm the validity of alerts, investigate incidents, and correlate events between the IDS and other logging sources. NIDSs typically offer extensive and broad detection capabilities. Most products use a combination of signature-based detection, anomaly-based detection, and stateful protocol analysis techniques to perform in-depth analysis of common protocols; organizations should use NIDS products that use such a combination of techniques. The detection methods are usually tightly interwoven; for example, a stateful protocol analysis engine might parse activity into requests and responses, each of which is examined for anomalies and compared to signatures of known bad activity. Some products also use the same techniques and provide the same functionality as network behavior analysis (NBA) software.

NIDS sensors offer various prevention capabilities, including Passive only, Inline only, and both Passive and Inline.