We'll see what is a NIDS, and where to place it on the network topology.
What is a NIDS
A NIDS is a Network Intrusion Detection System. A NIDS is a software that monitors a network traffic. Using a database of network signatures and paterns, it issues alerts and records suspicious traffic for later analysis.
Here is a basic NIDS in a private network :
A NIDS differs from a NIPS ( Network Intrusion Prevention System ) in that the NIDS does pure, passive monitoring, whereas the NIPS is placed inline, and does actively block suspicious connections.
Here is a NIPS placement :
NIDS and NIPS may in some way be thought as the network Antivirus : they do have an updatable signature and patterns database, perform detection, alerting, logging, and eventually blocking ( in the case of NIPS ).
NIDS placement in the topology
One first thing to note is that if the NIDS is to monitor a whole subnet, the use of port-mirroring on the switch is mandatory, as an ethernet switch creates a separate collision domain for each switch port (ie port 1 can't listen to the network trafic over port 2, etc .. ). Some entry-level professionnal routers do provide for port-mirroring ( ex : Cisco RV 110W, at 70 €/$ price tag ).
Here's a basic port mirroring for NIDS :
Another solution, for experimentation only, would be to use a network hub, or a wifi wep/wpa network, as they don't create separate collision domains. ( yes, that's why you want to use public wifi networks withextra- care ).
There are basically three places a NIDS may be placed
On the WAN side :
. pros : any suspicious attempt is detected
. cons : too much noise will encumber the NIDS performance and flood the alert system for a limited benefit.
On the DMZ/EDGE Network :
. pros : better NIDS performance, less unwanted noise to flood the performance and the alert system
. cons : only traffic that has been allowed past the firewall is analyzed. Firewall-blocked attempts are ignored.
A good NIDS placement should include both DMZ/EDGE and Inner Network positionning®®, for multi-zone monitoring :
This last approach is called multi-sensor approach, as there are multiple NIDS sensors positionned on the network topology, monitored from a single unified GUI frontend.
- SNORT® is a registered trademark of Sourcefire, Inc. -