It seems like everyone these days is concerned with security. It makes sense when considering the importance of cyber-criminality. Organizations are targeted by hackers trying to steal their data or cause them other harm. One way you can safeguard your IT environment against these attacks is through the use of the right tools and systems. Often, the first line of defence is at the perimeter of the network in the form of Network-based Intrusion Detection Systems or NIDS. These systems analyze traffic coming on your network from the internet to detect any suspicious activity and alert you immediately. NIDS are so popular and so many of them are available than finding the best one for your needs can be a challenging endeavour. To help you, we’ve assembled this list of some of the best network-based Intrusion Detection Systems.
We’ll begin our journey by having a look at the different types of Intrusion Detection System. Essentially, there are two types: network-based and host-based. We’ll explain their differences. Intrusion Detection Systems also differ on the detection method they use. Some of them use a signature-based approach while others rely on behavioural analysis. The best tools use a combination of both detection methods. The market is saturated with both intrusion detection and intrusion prevention systems. We’ll explore how they differ and how they are alike as it is important to understand the distinction. Finally, we’ll review the best Network-based Intrusion Detection Systems and present their most important features.
Network- vs Host-based Intrusion Detection
Intrusion Detection Systems are of one of two types. They both share an identical goal—to quickly detect intrusion attempts or suspicious activity potentially leading to intrusion attempts—but they differ in the location the enforcement point which refers to where the detection is performed. Each type of intrusion detection tool has advantages and disadvantages. There is no real consensus as to which one is preferable. Some do swear by one type while others will only trust the other. Both are probably right. The best solution—or the most secure—is probably one which combines both types.
Network Intrusion Detection Systems (NIDS)
The first type of Intrusion Detection System is called Network Intrusion Detection System or NIDS. These systems work at the network’s border to enforce detection. They intercept and examine network traffic, looking for suspicious activities which could indicate an intrusion attempt and also looking for known intrusion patterns. Intruders often try to exploit known vulnerabilities of various systems by, for example, sending malformed packets to hosts, making them react in a particular way which allows them to be breached. A Network Intrusion Detection System will most likely detect this kind of intrusion attempt.
Some argue that Network Intrusion Detection Systems are better than their host-based counterpart as they can detect attacks even before they even get to your systems. Some also tend to prefer them because they don’t require installing anything on each host to effectively protect them. On the other hand, they provide little protection against insider attacks which are unfortunately not at all uncommon. To be detected, an attacker’s intrusion attempt must go through the NIDS which it rarely does when it’s originating from within. Any technology has pros and cons and it the specific case of intrusion detection, nothing stops you from using both types of tools for the ultimate protection.
Host Intrusion Detection Systems (HIDS)
Host Intrusion Detections Systems (HIDS) operate at the host level; you might have guessed that from their name. They will, for instance, monitor various log files and journals for signs of suspicious activity. Another way they can detect intrusion attempts is by checking system configuration files for unauthorized changes. They can also examine these same files for specific known intrusion patterns. For example, a particular intrusion method may be known to work by adding a certain parameter to a specific configuration file. A good Host-based Intrusion Detection System would catch that.
Although their name could lead you to think that all HIDS are installed directly on the device they’re meant to protect, it is not necessarily the case. Some will need to be installed on all your computers while some will only require installing a local agent. Some even do all their work remotely with no agent. No matter how they operate, most HIDS have a centralized console where you can control every instance of the application and view all results.
Intrusion Detection Methods
Intrusion detection systems don’t only differ by the enforcement point, they also differ by the method they use to detect intrusion attempts. Some are signature-based while others are anomaly-based. The first ones work by analyzing data for specific patterns that have been associated with intrusion attempts. This is similar to traditional virus protection systems which rely on virus definitions. Signature-based intrusion detection relies on intrusion signatures or patterns. They compare captured data with intrusion signatures to identify intrusion attempts. Of course, they won’t work until the proper signature is uploaded to the software which can sometimes happen only after a certain number of machines have been attacked and publishers of intrusion signatures have had time to publish new update packages. Some suppliers are quite fast while others could only react days later. This is the primary drawback of this detection method.
Anomaly-based intrusion detection provides better protection against zero-day attacks, those that happen before any intrusion detection software has had a chance to acquire the proper signature file. They look for anomalies instead of trying to recognize known intrusion patterns. For example, someone trying to access a system with a wrong password several times in a row would trigger an alert as this is a common sign of a brute force attack. These systems can quickly detect any suspicious activity on the network. Each detection method has advantages and drawbacks and just like with the two types of tools, the best tools are probably those using a combination of signature and behaviour analysis.
Detection Or Prevention?
Some people tend to get confused between intrusion detection and intrusion prevention systems. While they are closely related, they are not identical although there is some functionality overlap between the two. As the name suggests, intrusion detection systems detect intrusion attempts and suspicious activities. When they detect something, they typically trigger some form of alert or notification. It is then up to administrators to take the necessary steps to stop or block the intrusion attempt.
Intrusion Prevention Systems (IPS) go one step further and can stop intrusions from happening altogether. Intrusion Prevention Systems include a detection component—which is functionally equivalent to an Intrusion Detection System—that will trigger some automatic remedial action whenever an intrusion attempt is detected. No human intervention is required to stop the intrusion attempt. Intrusion prevention can also refer to anything that is done or put in place as a way of preventing intrusions. For instance, password hardening or intruder lockout can be thought of as intrusion prevention measures.
The Best Network Intrusion Detection Tools
We’ve searched the market for the best Network-based Intrusion Detection Systems. Our list contains a mix of true Host-based Intrusion Detection Systems and other software which have a network-based intrusion detection component or which can be used to detect intrusion attempts. Each of our recommended tools can help detect intrusion attempts on your network.
SolarWinds is a common name in the field of network administration tools. The company’s been around for some 20 years and has brought us some of the best network and system administration tools. Its flagship product, the Network Performance Monitor, consistently scores among the top network bandwidth monitoring tools. SolarWinds also makes excellent free tools, each addressing a specific need of network administrators. The Kiwi Syslog Server and the Advanced Subnet Calculator are two good examples of those.
For network-based intrusion detection, SolarWinds offers the Threat Monitor – IT Ops Edition. Contrary to most other SolarWinds tools, this one is a cloud-based service rather than a locally installed software. You simply subscribe to it, configure it, and it starts watching your environment for intrusion attempts and a few more types of threats. The Threat Monitor – IT Ops Edition combines several tools. It has both network- and host-based Intrusion Detection as well as log centralization and correlation, and Security Information and Event Management (SIEM). It is a very thorough threat monitoring suite.
- FREE DEMO: SolarWinds Threat Monitor – IT Ops Edition
- Official download link: https://www.solarwinds.com/threat-monitor/registration
The Threat Monitor – IT Ops Edition is always up to date, constantly getting updated threat intelligence from multiple sources, including IP and Domain Reputation databases. It watches for both known and unknown threats. The tool features automated intelligent responses to quickly remediate security incidents giving it some intrusion prevention-like features.
The product’s alerting features are quite impressive. There are multi-conditional, cross-correlated alarms that work in conjunction with the tool’s Active Response engine and assist in identifying and summarizing important events. The reporting system is just as good as its alerting and can be used to demonstrate compliance by using existing pre-built report templates. Alternatively, you can create custom reports to precisely fit your business needs.
Prices for the SolarWinds Threat Monitor – IT Ops Edition start at $4 500 for up to 25 nodes with 10 days of index. You can contact SolarWinds for a detailed quote adapted to your specific needs. And if you prefer to see the product in action, you can request a free demo from SolarWinds.
Snort is certainly the best-known open-source NIDS. But Snort is actually more than an intrusion detection tool. It’s also a packet sniffer and a packet logger and it packs a few other functions as well. For now, we’ll concentrate on the tool’s intrusion detection features as this is the subject of this post. Configuring the product is reminiscent of configuring a firewall. It is configured using rules. You can download base rules from the Snort website and use them as-is or customize them to your specific needs. You can also subscribe to Snort rules to automatically get all the latest rules as they evolve or as new threats are discovered.
Sort is very thorough and even its basic rules can detect a wide variety of events such as stealth port scans, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. There’s virtually no limit to what you can detect with this tool and what it detects is solely dependent on the rule set you install. As for detection methods, some of the basic Snort rules are signature-based while others are anomaly-based. Snort can, therefore, give you the best of both worlds.
Suricata is not only an Intrusion Detection System. It also has some Intrusion Prevention features. In fact, it is advertised as a complete network security monitoring ecosystem. One of the tool’s best asset is how it works all the way up to the application layer. This makes it a hybrid network- and host-based system which lets the tool detect threats that would likely go unnoticed by other tools.
Suricata is a true Network-based Intrusion Detection System and it doesn’t only work at the application layer. It will monitor lower level networking protocols like TLS, ICMP, TCP, and UDP. The tool also understands and decodes higher-level protocols such as HTTP, FTP, or SMB and can detect intrusion attempts hidden in otherwise normal requests. The tool also features file extraction capabilities allowing administrators to examine any suspicious file.
Suricata’s application architecture is quite innovative. The tool will distribute its workload over several processor cores and threads for the best performance. If need be, it can even offload some of its processing to the graphics card. This is a great feature when using the tool on servers as their graphics card is typically underused.
4. Bro Network Security Monitor
The Bro Network Security Monitor, another free network intrusion detection system. The tool operates in two phases: traffic logging and traffic analysis. Just like Suricata, Bro Network Security Monitor operates at multiple layers up the application layer. This allows for better detection of split intrusion attempts. The Bro Network Security Monitor’s analysis module is made up of two elements. The first element is called the event engine and it tracks triggering events such as net TCP connections or HTTP requests. The events are then analyzed by policy scripts, the second element, which decide whether or not to trigger an alarm and/or launch an action. The possibility of launching an action gives the Bro Network Security Monitor some IPS-like functionality.
The Bro Network Security Monitor will let you track HTTP, DNS, and FTP activity and it will also monitor SNMP traffic. This is a good thing because SNMP is often used for network monitoring yet it is not a secure protocol. And since it can also be used to modify configurations, it could be exploited by malicious users. The tool will also let you watch device configuration changes and SNMP Traps. It can be installed on Unix, Linux, and OS X but it is not available for Windows, which is perhaps its main drawback.
5. Security Onion
It is hard to define what the Security Onion is. It is not just an intrusion detection or prevention system. It is, in reality, a complete Linux distribution with a focus on intrusion detection, enterprise security monitoring, and log management. As such, it can save administrators a lot of time. It includes many tools, some of which we’ve just reviewed. Security Onion includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and more. To make setting it all up easier, the distribution is bundled with an easy to use setup wizard, allowing you to protect your organization within minutes. If we had to describe the Security Onion in one sentence, we’d say it is the Swiss Army knife of enterprise IT security.
One of the most interesting things about this tool is that you get everything in one simple install. For Intrusion Detection, the tool gives you both Network- and Host-based Intrusion Detection tools. The package also combines tools that use a signature-based approach and tools that are anomaly-based. Furthermore, you’ll find a combination of text-based and GUI tools. There’s really an excellent mix of security tools. There is one primary drawback to the Security Onion. With so many included tools, configuring them all can turn out to be a considerable task. However, you don’t have to use-and configure—all the tools. You’re free to pick only those that you which to use. Even if you only use a couple of the included tools, it would likely be a faster option than installing them separately.