What is a network intrusion detection system

Workshop: Intrusion Detection and Intrusion Prevention with Snort

One of the best-known IDS applications is the open source tool Snort, which was released under the GNU GPL license. (Since the boundaries between an IDS and an IPS are fluid, we will only speak of IDS in the following.) This multi-part workshop is intended to help you to better understand Snort and to configure it optimally. Before you can install an IDS on your network, however, you need to understand the basics and analyze your needs. This is what the first part of our series of articles on Snort deals with. In further steps, we then deal with the topics of installation, initial configuration and optimization of the rules and finally with the analysis of the messages.

Tasks of an IDS

Intrusion detection systems are now standard in many networks. As a rule, you can already detect attacks when an attempt is made to gain unauthorized access to a network. But an IDS can do a lot more: Among other things, it can monitor correct login and logout as well as access to files and directories within a network. With an IDS, a distinction is therefore often made between host-based (HIDS) and network-based (NIDS) systems.

The main task of intrusion detection systems is to analyze and monitor networks. If they detect anomalies in the data traffic, they issue a warning. We will go into the relevant rules a little later. A distinction is made between system events and user events. It logs and analyzes what happens in a system or what errors users produce on a host or in a network.

In principle, an IDS should be integrated into an existing network as an additional security measure. It is often used because there is no trust in the existing security measures; For example, a firewall can be undermined by tunneling through port 80, which is always open. Intrusion detection systems are also used when very sensitive data is processed; access to it must then be very restrictive and closely monitored. Protection against data leakage is often in the foreground here, as espionage is the order of the day these days.