Network intrusion detection system
Encyclopedia
A Network Intrusion Detection System (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack
into computer
s by Network Security Monitoring (NSM) of network
traffic.
A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. If, for example, a large number of TCP
connection requests to a very large number of different ports
are observed, one could assume that there is someone conducting a port scan
of some or all of the computer
(s) in the network
. It also (mostly) tries to detect incoming shellcode
s in the same manner that an ordinary intrusion detection system does.
A NIDS is not limited to inspecting incoming network
traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network
or network segment
, and are therefore not regarded as incoming traffic at all.
Often network intrusion detection systems work with other systems as well. They can, for example, update some firewalls' blacklist
with the IP address
es of computer
s used by (suspected) crackers
.
Certain DISA
documentation, such as the Network STIG
, uses the term NID to distinguish an internal IDS instance from its outward-facing counterpart.
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
into computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
s by Network Security Monitoring (NSM) of network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
traffic.
A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. If, for example, a large number of TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection requests to a very large number of different ports
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
are observed, one could assume that there is someone conducting a port scan
Port scanner
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.A port scan or portscan is "An attack...
of some or all of the computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
(s) in the network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
. It also (mostly) tries to detect incoming shellcode
Shellcode
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in...
s in the same manner that an ordinary intrusion detection system does.
A NIDS is not limited to inspecting incoming network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
or network segment
Network segment
A network segment is a portion of a computer network. The nature and extent of a segment depends on the nature of the network and the device or devices used to interconnect end stations.-Ethernet:...
, and are therefore not regarded as incoming traffic at all.
Often network intrusion detection systems work with other systems as well. They can, for example, update some firewalls' blacklist
Blacklist (computing)
In computing, a blacklist or block list is a basic access control mechanism that allows everyone access, except for the members of the black list . The opposite is a whitelist, which means allow nobody, except members of the white list...
with the IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es of computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
s used by (suspected) crackers
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
.
Certain DISA
Disa
Disa is the heroine of a Swedish legendary saga, which was documented by Olaus Magnus, in 1555. It is believed to be from the Middle Ages, but includes Old Norse themes....
documentation, such as the Network STIG
Security Technical Implementation Guide
A Security Technical Implementation Guide or STIG is a methodology for standardized secure installation and maintenance of computer software and hardware. The term was coined by DISA who creates configuration documents in support of the United States Department of Defense...
, uses the term NID to distinguish an internal IDS instance from its outward-facing counterpart.
See also
- Application protocol-based intrusion detection systemApplication Protocol-based Intrusion Detection SystemAn application protocol-based intrusion detection system is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system.- Overview :...
(APIDS) - BroBro (software)Bro is an open source Unix based Network intrusion detection system . It is released under the BSD license.Bro was originally written by Vern Paxson.-External links:* *...
, an open source NIDS - Bypass switchBypass switchA bypass switch is a hardware device that provides a fail-safe access port for an in-line monitoring appliance such as an intrusion prevention system , firewall, WAN optimization device or unified threat management system...
- HoneypotHoneypot (computing)In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
(or Honeynet) - Host-based intrusion detection systemHost-based intrusion detection systemA host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...
(HIDS) - Intrusion prevention system (IPS)
- Protocol-based intrusion detection systemProtocol-based intrusion detection SystemA protocol-based intrusion detection system is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the protocol in use by the computing system...
(PIDS) - SnortSnort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
, an open source NIDS
External links
- U.S. Defense Information Systems Agency (DISA) Information Assurance Support Environment (IASE)
- EasyIDS - Free customized CentOS install cd containing Snort, Barnyard, BASE, ntop, and more. Most of what's needed for a NIDS.
- Comprehensive List of Commercial NIDS, Mosaic Security Research