Categories Topics
Description
Intrusion Detection System (IDS) - Host or Network

Overview
Intrusion Detection System (IDS) are devices or software controls used to monitor network traffic and/or systems for malicious activities and log and report them. IDS comes in two primary categories Network IDS (NIDS) or Host based (HIDS).

Guidelines
Network IDS (or NIDS) sensor devices are placed on the network by attaching to or tapping into network devices via a choke point, usually at the perimeter (or DMZ) or network borders. IDS sensors in passive mode will capture network traffic and analyze packets, log and alert on events, such as security breach and/or violations to policies. Intrusion Preventions Systems (IPS) devices utilize the same IDS functionality with the added ability to reset connections or reprogram firewalls to block suspicious or malicious activity from the source. Host IDS (or HIDS) consist of software agents that run on servers or workstations and monitors systems for malicious activities by analyzing logs, file systems, system calls and so forth and alerts for malicious activities.

Intrusion Detection Systems (IDS) sensors are critical network monitoring controls that should be implemented as part of an effective information security program. Network IDS (or NIDS) sensors should be implemented at the most critical network border choke points, such as at the DMZ (perimeter of organization's network and internet), to sniff traffic and look for indications of attack. NIDS can also be strategically placed between Security Zones. Security Zones consist of a grouping of systems, network segments, etc. based on data classification, sensitivity and/or key functionality to the organization. Examples of zones can include: Development, Production, Customer-facing, Partner/vendor, User, etc.

It is also important to leverage NIDS to complement Firewalls (used to block network activity that violate policies), to monitor and restrict network traffic between the zones. The important objective is to ensure IDS sensor coverage is implemented to protect the most sensitive data (internal to organization) as well as externally (from the internet or supplier/partner networks). Most organizations have a limited budget so focus should be to prioritize placing sensors to protect the highest risk assets first.

The host-based variation, HIDS, can also be implemented on the most critical systems to monitor policy violations. HIDS can be used as complementary to NIDS and other monitoring controls such as anti-virus agents, but organizations may want to focus on the most critical assets. HIDS can introduce an additional level of complexity that organizations should consider. Finally, IDS logged events should be forwarded to a central console and logging system used for monitoring and logging system security events. We recommend organizations consider Security Information Event Monitoring (SIEM) solutions that can help security or operations team better correlate and filter events and logs from multiple sources, such as IDS and security logging from servers and workstations. SIEM's or log aggregators can also be used to archive and store security logs used for legal, regulatory or future forensics purposes. See "SIEM" topic for more information.
 
News Articles
HP to scale up TippingPoint network security with SDNwww.computerworld.com2/1/2013
DHS To Critical Infrastructure Owners: Hold On To Data After Cyber Attackthreatpost.com5/29/2012