Intrusion Detection Systems: A Deep Dive Into NIDS & HIDS

In many ways, a cyber-attacker is much like a burglar. Their methods are different, of course, but their basic process is the same: Sneak into someplace where you aren’t welcome and take what you want. Of course, hackers steal information rather than physical valuables, but that information can be turned into real wealth in a number of ways. Thus, just as every home needs some kind of protection against intruders, so too must every computer system employ ways of detecting infiltrators and alerting the right people to their activities. 

What Is An Intrusion Detection System?

In most cases, this term refers to a specific kind of software. It often isn’t realistic to monitor a network 24 hours a day, so many people find it practical to automate that process. Obviously, this requires software that is tailored to such a purpose. There are many options in this department, so be sure to read plenty of reviews before making a choice.

In some cases, however, an IDS can take the form of a physical device (i.e., hardware). In essence, these are just devices that are meant to run IDS software in the most efficient way possible. Basically, it’s a computer that is meant to do only one thing. 

HIDS and NIDS

These are two acronyms that you are likely to see when researching this topic. HIDS stands for “Host-based Intrusion Detection Systems” while NIDS stands for “Network-based Intrusion Detection Systems.” The difference is one of focus and emphasis.

A host-based model will concentrate on one specific user device. This could be a computer, a laptop, a mobile device, or anything else that accesses the internet. These kinds of platforms will focus on protecting that device from all threats by recognizing suspicious patterns and issuing alerts. It does this by inspecting system logs and reporting anything that doesn’t look right.

A network-based model works in a similar way, except that it protects the entire network instead of one specific device. Rather than using system logs, it will make use of a packet monitoring program. A “packet” is one particular unit of data that is transmitted across the internet and it will have a lot of information attached. By analyzing the contents of these packets and comparing them with known patterns, NIDS platforms can recognize many threats. 

Signatures And Anomalies

These are the two most important metrics by which IDS programs can identify potential threats. Signatures are things like IP addresses, MAC addresses, packet headers, or the identifying information of known malware sites. This method has the advantage of being very quick and efficient.

Anomalies are just deviations from the norm. In many cases, anomalies are not indicators of cyber-attack. However, pretty much all cyber-attacks will produce abnormal patterns. Thus, anomaly-based detection is reliable, but it tends to give a lot more false positives. Because it is more complex than signature-based methods, it can also be a little slower to run.

We aren’t going to waste time debating which of these approaches is better because both are needed. Ideally, you want to use hardware or software that incorporates both of these things in a hybrid approach. Yes, this might make for slower scans, but it will also make for more reliable results. 

Working IDS Into Your System Architecture

For those who are tasked with maintaining secure networks, there is a question of where you should place your IDS in terms of system architecture. Most authorities seem to agree that an IDS should be placed behind your network or devices’ firewall. An IDS does not replace traditional firewall technology…in fact, these two things can work together and complement each other nicely.

The firewall acts as the initial filter, taking care of the little things that aren’t that serious. More to the point, a given activity isn’t really a cause for concern until it gets past the firewall. That’s when an actual intrusion has occurred, so it would be pointless to make that IDS your first line of defense. That being said, it wouldn’t hurt to use IDS on both sides of that initial network firewall (which is usually applied at the router level). 

IDS Versus IPS

It is important to understand the difference between IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems). Of course, the names tell you a lot. Basically, IDS is a passive system that can only detect a potential threat. It is then left up to the user to evaluate and respond to this threat. IPS, by contrast, will actually take action against the potential threat.

Of course, there is some overlap between these two models. IPS requires some kind of detection system in order to do its job, whereas IDS can work alone. Some people prefer to have a human response, and that’s when an IDS should be enough to do the job. Still, it’s best to choose an IDS that does its best to filter out the false positives. As with the methods of detection, it is best to find something that uses both.

The Importance Of Readability

When you are looking for IDS software, it is best to find something that isn’t all that hard to read and interpret. Yes, a skilled technician should be able to understand all that raw data, but why make their job harder than necessary? Besides, clear displays make for clear explanations, and that makes for better communication between management and IT. Effectiveness is king, but there is also something to be said for clear and readable metrics.

Conclusion

No matter what kind of IDS you choose, you will still need qualified people to use it effectively. If you need to find those kinds of seasoned professionals, we recommend that you call PCH Technologies at (856) 754-7500. That call could make the difference between a failed attack and a costly data breach. As such, we urge you to take advantage of all this free advice and start implementing those precautions today.