Network intrusion detection systems are increasingly important for network security. Anti-virus software and firewalls can only block unauthorized entry into a system.
These traditional network security systems cannot guard against compromised user accounts or naive employees who get duped.
- 1 The purpose of NIDS
- 2 Difference between NIDS and SIEM
- 3 NIDS or HIDS
- 4 NIDS detection methods
- 5 Intrusion detection and intrusion prevention
- 6 Recommended NIDS
- 7 Implementing NIDS
The purpose of NIDS
Intrusion detection systems look for patterns in network activity to identify malicious activity. The need for this category of security system arose because of changes in hacker methods in reaction to earlier successful strategies to block malicious activities.
Firewalls have become very effective at blocking inbound connection attempts. Antivirus software has successfully identified infections carried through USB sticks, data disks, and email attachments. With traditional malicious methods blocked, hackers turned to attack strategies such as Distributed Denial of Service (DDoS) attacks. Edge services now make those attack vectors less threatening.
Today, the Advanced Persistent Threat (APT) is the biggest challenge to network managers. These attack strategies are even now used by national governments as part of hybrid warfare. In an APT scenario, a group of hackers gain access to a corporate network and use the resources of the company for their own purposes as well as getting access to company data for sale.
The collection of personal data held on company databases has become a profitable business, thanks to data agencies. That information can also be used for malicious purposes and can also feed back into access strategies through doxing. The information available on company customer, supplier, and employee databases are useful resources for whaling and spearphishing campaigns. These methods have been used effectively by con artists to trick company employees into transferring money or disclosing secrets personally. These methods can be used to blackmail company workers into acting against the interests of their employers.
Disgruntled employees also present problems for corporate data security. A lone worker with network and database access can wreak havoc by using authorized accounts to cause damage or steal data.
So, network security now has to encompass methods that go far beyond blocking unauthorized access and preventing the installation of malicious software. Network-based intrusion detection systems offer very effective protection against all hidden intruder activity, malicious employee activity, and con artist masquerading.
Difference between NIDS and SIEM
When seeking new security systems for your network, you will encounter the term SIEM. You may wonder whether this means the same as NIDS.
There is a great deal of overlap between the definitions of SIEM and NIDS. SIEM stands for Security Information and Event Management. The field of SIEM is a combination of two pre-existing categories of protection software. There are Security Information Management (SIM) and Security Event Management (SEM).
The field of SEM is very similar to that of NIDS. Security Event Management is a category of SIEM that focuses on examining live network traffic. This is exactly the same as the specialization of network-based intrusion detection systems.
NIDS or HIDS
Network-based intrusion detection systems are part of a broader category, which is intrusion detection systems. The other type of IDS is a host-based intrusion detection system or HIDS. Host-based intrusion detection systems are roughly equivalent to the Security Information Management element of SIEM.
While network-based intrusion detection systems look at live data, host-based intrusion detection systems examine the log files on the system. The benefit of NIDS is that these systems are immediate. By looking at network traffic as it happens, they are able to take action quickly. However, many activities of intruders can only be spotted over a series of actions. It is even possible for hackers to split malicious commands between data packets. As NIDS works at the packet level, it is less capable of spotting intrusion strategies that spread across packets.
HIDS examines event data once it has been stored in logs. Writing records to log files creates delays in responses. However, this strategy allows analytical tools to detect actions that take place at several points on a network simultaneously. For example, if the same user account is used to log in to the network from dispersed geographical locations and the employee allocated that account is stationed in none of those places, then clearly the account has been compromised.
Intruders know that log files can expose their activities and so removing log records is a defensive strategy used by hackers. The protection of log files is, therefore, an important element of a HIDS system.
Both NIDS and HIDS have benefits. NIDS produces quick results. However, these systems need to learn from a network’s normal traffic to prevent them from reporting “false positives.” Particularly in the early weeks of operation on a network, NIDS tools have a tendency to over-detect intrusion and create a flood of warnings that prove to be highlighting regular activity. On the one hand, you don’t want to filter out warnings and risk missing intruder activity. However, on the other hand, an overly-sensitive NIDS can try the patience of a network administration team.
HIDS gives a slower response but can give a more accurate picture of intruder activity because it can analyze event records from a wide range of logging sources. You need to take the SIEM approach and deploy both a NIDS and a HIDS to protect your network.
NIDS detection methods
NIDS use two basic detection methods:
- Anomaly-based detection
- Signature-based detection
Signature-based strategies arose from the detection methods used by antivirus software. The scanning program looks for patterns in network traffic including byte sequences and typical packet types that are regularly used for attacks.
An anomaly-based approach compares current network traffic to typical activity. So, this strategy requires a learning phase that establishes a pattern of normal activity. An example of this type of detection would be the number of failed login attempts. A human user might be expected to get a password wrong a few times, but a brute-force programmed intrusion attempt would use many password combinations cycling through a rapid sequence. That is a very simple example. In the field, the activity patterns that an anomaly-based approach looks for can be very complicated combinations of activities.
Intrusion detection and intrusion prevention
Spotting intrusion is step one of keeping your network safe. The next step is to do something to block the intruder. On a small network, you could possibly enact manual intervention, updating firewall tables to block intruder IP addresses and suspending compromised user accounts. However, on a large network, and on systems that need to be active around the clock, you really need to roll through threat remediation with automated workflows. Automatic intervention to address intruder activity is the defining difference between intruder detection systems and intruder prevention systems (IPS).
This guide focuses on NIDS rather than HIDS tools or IPS software. Surprisingly, many of the leading NIDS are free to use and other top tools offer free trial periods.
Here is our list of the nine best NIDS tools:
- SolarWinds Log & Event Manager (FREE TRIAL)
- IBM QRadar
- Security Onion
- Open WIPS-NG
The following sections explain each of these tools in detail.
The SolarWinds Log & Event Manager is mainly a HIDS package, but you can use NIDS functions with this tool as well. The tool can be used as an analytical utility to process data collected by Snort. You can read more about Snort below. Snort is able to capture traffic data that you can view through the Log and Event Manager.
The combination of NIDS and HIDS makes this a really powerful security tool. The NIDS section of the Log and Event Manager includes a rule base, called event correlation rules, that will spot activity anomalies that indicate an intrusion. The tool can be set to automatically implement workflows on the detection of an intrusion warning. These actions are called Active Responses. The actions that you can get automatically launched on the detection of an anomaly include: stopping or launching of processes and services, suspension of user accounts, blocking of IP addresses, and notification sending by email, SNMP message, or screen record. Active responses make the SolarWinds Log and Event Manager into an intrusion prevention system.
This is the top of the line IDS available on the market today and it is not free. The software will only run on the Windows Server operating system, but it can collect data from Linux, Unix, and Mac OS as well as Windows. You can get the SolarWinds Log and Event Manager on a 30-day free trial.
Snort, owned by Cisco Systems, is an open source project and is free to use. This is the leading NIDS today and many other network analysis tools have been written to use its output. The software can be installed on Windows, Linux, and Unix.
This is actually a packet sniffer system that will collect copies of network traffic for analysis. The tool has other modes, however, and one of those is intrusion detection. When in intrusion detection mode, Snort applies “base policies,” which is the detection rule base of the tool.
Base policies make Snort flexible, extendable, and adaptable. You need to fine-tune the policies to suit your network’s typical activities and reduce the incidences of “false positives.” You can write your own base policies, but you don’t have to because you can download a pack from the Snort website. There is a very large user community for Snort and those users communicate through a forum. Expert users make their own tips and refinements available to others for free. You can also pick up more base policies from the community for free. As there are so many people using Snort, there are always new ideas and new base policies that you can find in the forums.
Bro is a NIDS, like Snort, however, it has a major advantage over the Snort system – this tool operates at the Application Layer. This free NIDS is widely-preferred by the scientific and academic communities.
This is both a signature-based system and it also uses anomaly-based detection methods. It is able to spot bit-level patterns that indicate malicious activity across packets.
The detection process is handled in two phases. The first of these is managed by the Bro Event Engine. As data is assessed at higher than packet level, analysis cannot be performed instantly. There has to be a level of buffering so that sufficient packets can be assessed together. So, Bro is a little slower than a typical packet-level NIDS but still identifies malicious activity quicker than a HIDS. Collected data is assessed by policy scripts, which is the second phase of the detection process.
It is possible to set up remediation actions to be triggered automatically by a policy script. This makes Bro an intrusion prevention system. The software can be installed on Unix, Linux, and Mac OS.
so a NIDS that operates at the Application Layer, giving it multi-packet visibility. This is a free tool that has very similar capabilities to those of Bro. Although these signature-based detection systems work at the Application level, they still have access to packet details, which lets the processing program get protocol-level information out of packet headers. This includes data encryption, Transport Layer and Internet Layer data.
This IDS also employs anomaly-based detection methods. Apart from packet data, Suricata is able to examine TLS certificates, HTTP requests, and DNS transactions. The tool is also able to extract segments from files at bit-level for virus detection.
Suricata is one of the many tools that are compatible with the Snort data structure. It is able to implement Snort base policies. A big extra benefit of this compatibility is that the Snort community can also give you tips on tricks to use with Suricata. Other Snort-compatible tools can also integrate with Suricata. These include Snorby, Anaval, BASE, and Squil.
5. IBM QRadar
This IBM SIEM tool is not free, but you can get a 14-day free trial. This is a Cloud-based service, so it can be accessed from anywhere. The system covers all aspects of intrusion detection including the log-centered activities of a HIDS as well as the examination of live traffic data, which also makes this a NIDS. The network infrastructure that QRadar can monitor extends to Cloud services. The detection policies that highlight possible intrusion are built into the package.
A very nice feature of this tool is an attack modeling utility that helps you test your system for vulnerabilities. IBM QRadar employs AI to ease anomaly-based intrusion detection and has a very comprehensive dashboard that integrates data and event visualizations. If you don’t want to use the service in the Cloud, you can opt for an on-premises version that runs on Windows.
If you want an IDS to run on Linux, the free NIDS/HIDS package of Security Onion is a very good option. This is an open source project and is community-supported. The software for this tool runs on Ubuntu and was drawn in from other network analysis utilities. A number of the other tools listed in this guide are integrated into the Security Onion package: Snort, Bro, and Suricata. HIDS functionality is provided by OSSEC and the front end is the Kibana system. Other well-known network monitoring tools that are included in Security Onion include ELSA, NetworkMiner, Snorby, Squert, Squil, and Xplico.
The utility includes a wide range of analysis tools and uses both signature and anomaly-based techniques. Although the reuse of existing tools means that Security Onion benefits from the established reputation of its components, updates to elements in the package can be complicated.
7. Open WIPS-NG
Open WIPS-NG is an open source project that helps you to monitor wireless networks. The tool can be used as a straightforward wifi packet sniffer or as an intrusion detection system. The utility was developed by the same team that created Aircrack-NG – a very famous network intrusion tool used by hackers. So, while you are using Open WIPS-NG to defend your network, the hackers that you spot will be harvesting your wireless signals with its sister package.
This is a free tool that installs on Linux. The software package includes three components. These are a sensor, a server, and an interface. Open WIPS-NG offers a number of remediation tools, so the sensor acts as your interface to the wireless transceiver both to collect data and to send out commands.
Sagan is a HIDS. However, with the addition of a data feed from Snort, it can also act as a NIDS. Alternatively, you can use Bro or Suricata to collect live data for Sagan. This free tool can be installed on Unix and Unix-like operating systems, which means that it will run on Linux and Mac OS, but not on Windows. However, it can process Windows event log messages. The tool is also compatible with Anaval, BASE, Snorby, and Squil.
Useful extras built into Sagan include distributed processing and an IP address geolocator. This is a good idea because hackers often use a range of IP addresses for intrusion attacks but overlook the fact that the common location of those addresses tells a tale. Sagan can execute scripts to automate attack remediation, which includes the ability to interact with other utilities such as firewall tables and directory services. These abilities make it an intrusion prevention system.
Splunk is a popular network traffic analyzer that also has NIDS and HIDS capabilities. The tool can be installed on Windows and on Linux. The utility is available in three Editions. These are Splunk Free, Splunk Light, Splunk Enterprise, and Splunk Cloud. You can get a 15-day trial to the Cloud-based version of the tool and a 60-day free trial of Splunk Enterprise. Splunk Light is available on a 30-day free trial. All of these versions include data collection abilities and anomaly detection.
Security features of Splunk can be enhanced with an add-on, called Splunk Enterprise Security. This is available on a 7-day free trial. This tool enhances the accuracy of anomaly detection and reduces the incidences of false positives through the use of AI. The extent of alerting can be adjusted by warning severity level to prevent your system administration team getting swamped by an overzealous reporting module.
Splunk integrates log file reference to enable you to get a historical perspective on events. You can spot patterns in attacks and intrusion activity by looking at the frequency of malicious activity over time.
The risks that threaten your network security are now so comprehensive that you really don’t have a choice on whether or not to implement network-based intrusion detection systems. They are essential. Fortunately, you do have a choice over which NIDS tool you install.
There are a lot of NIDS tools out on the market at the moment and most of them are very effective. However, you probably don’t have enough time to investigate all of them. This is why we put together this guide. You can narrow down your search to just the best NIDS tools, which we included on our list.
All of the tools on the list are either free to use or are available as free trial offers. You will be able to take a couple of them through their paces. Simply narrow down the list further according to the operating system and then assess which of the shortlist features match the size of your network and your security needs.
Do you use a NIDS tool? Which did you choose to install? Have you also tried out a HIDS tool? How would you compare the two alternative strategies? Leave a message in the Comments section below and share your experience with the community.