Network Based Intrusion Detection System

Domain 7

Eric Conrad , ... Joshua Feldman , in Eleventh Hour CISSP® (Third Edition), 2017

NIDS and NIPS

A network-based intrusion detection system (NIDS) detects malicious traffic on a network. NIDS usually require promiscuous network admission in club to analyze all traffic, including all unicast traffic. NIDS are passive devices that do non interfere with the traffic they monitor; Fig. 7.2 shows a typical NIDS architecture. The NIDS sniffs the internal interface of the firewall in read-simply fashion and sends alerts to a NIDS Direction server via a different (ie, read/write) network interface.

Fig. 7.2. NIDS architecture.

The departure betwixt a NIDS and a NIPS is that the NIPS alters the flow of network traffic. At that place are two types of NIPS: active response and inline. Architecturally, an agile response NIPS is like the NIDS in Fig. 7.ii; the departure is that the monitoring interface is read/write. The agile response NIPS may "shoot downwardly" malicious traffic via a variety of methods, including forging TCP RST segments to source or destination (or both), or sending ICMP port, host, or network unreachable to source.

An inline NIPS is "in line" with traffic, acting equally a Layer 3–7 firewall by passing or allowing traffic, as shown in Fig. vii.three.

Fig. 7.3. Inline NIPS architecture.

Note that a NIPS provides defense-in-depth protection in improver to a firewall; it is non typically used as a replacement. As well, a false positive past a NIPS is more damaging than one by a NIDS because legitimate traffic is denied, which may cause production problems. A NIPS usually has a smaller fix of rules compared to a NIDS for this reason, and merely the most trustworthy rules are used. A NIPS is not a replacement for a NIDS; many networks use both a NIDS and a NIPS.

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780128112489000073

Introduction to Intrusion Detection Systems

In Cisco Security Professional person's Guide to Secure Intrusion Detection Systems, 2003

Network IDS

Network-based intrusion detection systems (NIDS) are devices intelligently distributed within networks that passively audit traffic traversing the devices on which they sit. NIDS tin be hardware or software-based systems and, depending on the manufacturer of the system, can attach to various network mediums such as Ethernet, FDDI, and others. Oftentimes, NIDS take two network interfaces. One is used for listening to network conversations in promiscuous mode and the other is used for command and reporting.

With the appearance of switching, which isolates unicast conversations to ingress and egress switch ports, network infrastructure vendors have devised port-mirroring techniques to replicate all network traffic to the NIDS. In that location are other means of supplying traffic to the IDS such as network taps. Cisco uses Switched Port Analyzer (Span) functionality to facilitate this adequacy on their network devices and, in some network equipment, includes NIDS components directly within the switch. We'll discuss Cisco's IDS products in the next chapter.

While there are many NIDS vendors, all systems tend to function in one of 2 ways; NIDS are either signature-based or anomaly-based systems. Both are mechanisms that separate benign traffic from its malicious brethren. Potential issues with NIDS include high-speed network data overload, tuning difficulties, encryption, and signature development lag time. We'll embrace how IDS piece of work and the difficulties involved with them later in this section.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781932266696500215

Local Expanse Network Security

Pramod Pandya , in Figurer and Information Security Handbook (Third Edition), 2013

ten Network Intrusion Detection System: Scope and Limitations

NIDS sensors scan network packets at the router or host level, auditing information packets and logging any suspicious packets to a log file. Fig. e16.2 is an instance of an NIDS. The data packets are captured by a sniffer program, which is a role of the IDS software package. The node on which the IDS software is enabled runs in promiscuous mode. In promiscuous mode, the NIDS node captures all of the information packets on the network as divers by the configuration script. NIDSs have get a disquisitional component of network security direction because the number of nodes on the Internet has grown exponentially over the by few years. Some common malicious attacks on networks are:

Figure e16.2. An example of a network-based intrusion detection system (NIDS). LAN, local area network; NAT, Network Address Translation; OUT, external network.

IP address spoofing

media access control (MAC) accost spoofing

Address Resolution Protocol (ARP) cache poisoning

DNS name corruption

Read full affiliate

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780128038437000168

Locking Downwardly Your XenApp Server

Tariq Bin Azad , in Securing Citrix Presentation Server in the Enterprise, 2008

Network IDS

The NIDS derives its name from the fact that it monitors the entire network. More accurately, it monitors an entire network segment. Normally, a computer network interface carte (NIC) operates in nonpromiscuous way. In this way of functioning, only packets destined for the NICs specific media access control (MAC) address are forwarded upward the stack for assay. The NIDS must operate in promiscuous mode to monitor network traffic not destined for its own MAC address. In promiscuous mode, the NIDS tin can overhear on all communications on the network segment. Performance in promiscuous style is necessary to protect your network. Nevertheless, in view of emerging privacy regulations, monitoring network communications is a responsibility that must be considered advisedly.

In Figure vii.2, nosotros run across a network using 3 NIDS. The units accept been placed on strategic network segments and tin monitor network traffic for all devices on the segment. This configuration represents a standard perimeter security network topology where the screened subnets on the DMZ housing the public servers are protected by NIDS. When a public server is compromised on a screened subnet, the server can become a launching platform for additional exploits. Careful monitoring is necessary to forestall further damage.

Effigy vii.2. NIDS Network

The internal host systems inside the firewall are protected by an additional NIDS to mitigate exposure to internal compromise. The utilise of multiple NIDS within a network is an example of a defense-in-depth security compages.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749281200007X

Embedded security

J. Rosenberg , in Rugged Embedded Systems, 2017

2.3.1 Network intrusion-detection systems

NIDS are placed at a strategic point or points inside the network to monitor traffic to and from all devices on the network. Information technology performs an analysis of passing traffic on the unabridged subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally ane would browse all inbound and outbound traffic, all the same doing so might create a clogging that would impair the overall speed of the network.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9780128024591000117

Guarding Confronting Network Intrusions

Thomas K. Chen , Patrick J. Walsh , in Network and System Security (Second Edition), 2014

Traffic Monitoring

Network-based IDSs typically monitor network packets for signs of reconnaissance, exploits, DoS attacks, and malware. They have strengths to complement host-based IDSs: Network-based IDSs can see traffic for a population of hosts; they tin can recognize patterns shared by multiple hosts; and they take the potential to see attacks earlier they reach the hosts.

IDSs are placed in various locations for dissimilar views, as shown in Figure 3.6. An IDS outside a firewall is useful for learning almost malicious activities on the Internet. An IDS in the DMZ volition run across attacks originating from the Internet that are able to get through the outer firewall to public servers. Lastly, an IDS in the private network is necessary to detect any attacks that are able to successfully penetrate perimeter security.

Effigy 3.vi. IDSs monitoring diverse network zones.

Read full affiliate

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780124166899000034

Intrusion Prevention and Detection Systems

Christopher Twenty-four hours , in Computer and Information Security Handbook, 2009

eleven. Network-based Intrusion Prevention Systems

NIDS are designed to passively monitor traffic and raise alarms when suspicious traffic is detected, whereas network-based intrusion prevention systems (NIPS) are designed to go i step further and really try to prevent the attack from succeeding. This is typically accomplished by inserting the NIPS device inline with the traffic information technology is monitoring. Each network bundle is inspected and only passed if it does non trigger some sort of alarm based on a signature match or anomaly threshold. Suspicious packets are discarded and an alarm is generated.

The ability to intervene and cease known attacks, in dissimilarity to the passive monitoring of NIDS, is the greatest benefit of NIPS. However, NIPS suffers from the same drawbacks and limitations as discussed for NIDS, such every bit heavy reliance on static signatures, inability to examine encrypted traffic, and difficulties with very high network speeds. In add-on, false alarms are much more pregnant due to the fact that the NIPS may discard that traffic even though it is not really malicious. If the destination system is business or mission critical, this action could have significant negative touch on on the operation of the organization. Thus, not bad intendance must exist taken to tune the NIPS during a training period where in that location is no packet discard before allowing it to begin blocking whatever detected, malicious traffic.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780123743541000182