The security of your network is of the highest priority, and an attack on your network could cost your business thousands, or even millions, of dollars. An intrusion detection system is one such system that can be used to monitor your network and receive alerts when suspicious activity is detected. In this article, we will explain what an intrusion detection system is and how it works.
Intrusion Detection Systems
An intrusion detection system (IDS) is a hardware device or software program that observes a network or system for security policy violations, anomalies, or malicious activity. It does this by monitoring network traffic and inspecting network packets. These anomalies can be as simple as an unusual IP address appearing on your network or a high amount of data transferred at once.
Not to be confused with an intrusion prevention system (IPS), an intrusion detection system only detects attacks while an IPS aims to prevent attacks going forward. It is common for these two programs to be bundled together, working in tandem to detect and fight off attacks.
A good intrusion detection system will know the signatures of different attacks. These are the things that make an attack detectable. For example, a Christmas tree attack is named as such because several special flags are lit up like a Christmas tree inside network packets. The intrusion detection system will know to look for these lit-up flags to spot the attack.
When an attack is detected, the intrusion detection system will alert the user with as much detail about the attack as possible to help them respond in the most informed way. Depending on the system, these alerts could be sent by email, pop-up message, or text.
Types of Intrusion Detection Systems
There are two main types of intrusion detection systems:
- Network Intrusion Detection Systems (NIDS): This system analyzes and reports incoming network traffic. Snort is a security expert-recommended network intrusion detection system. It is the most powerful open-source NIDS worldwide, with 600,000 registered users and over 5 million installations.
- Host-Based Intrusion Detection Systems (HIDS): This system monitors and documents the changes to an operating system’s critical files on the server. It is common to place them on Internet-connected devices that viruses, trojans, and ransomware could infect.
Additionally, we can break IDS down into a further sub-types: signature detection, anomaly detection, and hybrid detection.
- Signature Intrusion Detection Systems (SIDS) use a specific pattern to detect threats. This term originated from the description used by antivirus software, where definitions refer to a detected pattern as a signature. Although these signature-based IDS can detect a known attack vector, they cannot identify a new attack type where no signature pattern or characteristic is available.
- Anomaly Intrusion Detection Systems (AIDS) implement a newer technological model designed to better adapt and defend against unknown attacks. AIDS often works by using machine learning to determine regular or suspicious activity. A well-implemented AIDS can also detect most SIDS attacks, so it is often considered a better choice.
- Hybrid Intrusion Detection Systems use both signature-based and anomaly-based diagnostics for discovery, enabling the system to better detect potential attack vectors, with a lower overall error rate than using each system separately.
Where is an IDS Located?
An intrusion detection system is placed behind a firewall but before the router. This location maximizes effectiveness, as the firewall can handle different types of threats to an IDS, and both will want to be in front of the router so that malicious data does not reach the users.
In larger environments, system and network administrators strategically place the IDS at various points around the network to increase efficacy and security, including intersections of major junctions and departments that need their own higher level of security.
Intrusion Detection Systems vs Firewalls
An IDS will look internally at the network to find issues, while a firewall will look for threats externally by checking the traffic coming into the network. One cannot replace the other, and a highly secure network will have both an intrusion detection system and a firewall.
Advantages of an IDS
There are multiple advantages to implementing an IDS:
- The ability to analyze the different types of network attacks like unauthorized access, malware, distributed denial of service (DDoS) attacks, and privilege escalation.
- Prompt detection can limit stolen or impacted customer data and save you money in the long run.
- It helps attain regulatory compliance. System logs will indicate you are taking steps to keep your network secure and that security regulations are being met or exceeded.
Disadvantages of an IDS
While there are multiple advantages, there are some disadvantages to an IDS:
- False positives can lead to an increased number of incidents requiring investigation, but a continuous review by your technical support team will help identify the false positives and eliminate them in the future.
- False negatives occur when an attack goes undetected and gets into the network, which tends to happen when the system is misconfigured or a ruleset has not been updated or applied.
- Hackers could attack on the IDS itself which could prevent threats from being reported and allow other threats sneaking into the network. Because an IDS does not prevent attacks from happening, users must take steps to actively reduce their site vulnerability to such attacks to keep their site secure.
- Your intrusion detection system could also be targeted by a DDoS attack, which would overload the IDS with traffic, restricting its ability to function properly. DDoS site and server protection will help keep things running smoothly.
- The cost of intrusion detection systems can range from free (open-source) to hundreds of thousands of dollars (large networks), with added costs for staffing, training, installation, and maintenance.
Alternatives to an Intrusion Detection System
Unified Threat Management (UTM) is a new information security strategy for dealing with threats to your organization. A UTM is a single piece of software/hardware that can handle the various features of security for your network, instead of having several different end-points to deal with the various areas of security.
Depending on the specific features of your UTM, it can replace your IDS, IPS, firewall, antivirus software, web proxy, VPN, data loss prevention, and email filtering. With everything in one place, however, a UTM introduces a single point of failure in your network.
Get an Intrusion Detection System Now!
Let us help you find the best security option for your server. Our Threat Stack Oversight Intrusion Detection System offers threat monitoring, intrusion detection, 24/7/354 rapid response, and compliance best practices. For those needing end-to-end security, our Alert Logic Security & Compliance Suite offers enterprise-grade security monitoring, incident management, remediation guidance, 24/7/365 support, and more.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.