Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
11 janvier 2014 6 11 /01 /janvier /2014 14:20

We'll see what is a NIDS, and where to place it on the network topology.

What is a NIDS

A NIDS is a Network Intrusion Detection System. A NIDS is a software that monitors a network traffic. Using a database of network signatures and paterns, it issues alerts and records suspicious traffic for later analysis.

Here is a basic NIDS in a private network :


A NIDS differs from a NIPS ( Network Intrusion Prevention System ) in that the NIDS does pure, passive monitoring, whereas the NIPS is placed inline, and does actively block suspicious connections.
Here is a NIPS placement :


NIDS and NIPS may in some way be thought as the network Antivirus : they do have an updatable signature and patterns database, perform detection, alerting, logging, and eventually blocking ( in the case of NIPS ).

NIDS placement in the topology

One first thing to note is that if the NIDS is to monitor a whole subnet, the use of port-mirroring on the switch is mandatory, as an ethernet switch creates a separate collision domain for each switch port (ie port 1 can't listen to the network trafic over port 2, etc .. ). Some entry-level professionnal routers do provide for port-mirroring ( ex : Cisco RV 110W, at 70 €/$ price tag ).
Here's a basic port mirroring for NIDS :


Another solution, for experimentation only, would be to use a network hub, or a wifi wep/wpa network, as they don't create separate collision domains. ( yes, that's why you want to use public wifi networks withextra- care ).

There are basically three places a NIDS may be placed

On the WAN side :


    . pros : any suspicious attempt is detected

    . cons : too much noise will encumber the NIDS performance and flood the alert system for a limited benefit.




On the DMZ/EDGE Network :


    . pros : better NIDS performance, less unwanted noise to flood the performance and the alert system

    . cons : only traffic that has been allowed past the firewall is analyzed. Firewall-blocked attempts are ignored.




On the Inner Network :


    . same pros and cons as the DMZ/EDGE placement, in a different area strategy-wise.



A good NIDS placement should include both DMZ/EDGE and Inner Network positionning®®, for multi-zone monitoring :




This last approach is called multi-sensor approach, as there are multiple NIDS sensors positionned on the network topology, monitored from a single unified GUI frontend.



- SNORT® is a registered trademark  of Sourcefire, Inc. -


Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article



  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact