NIDS Versus NIPS

It’s not a battle royale, but you should be able to differentiate between a network intrusion detection system (NIDS) and a network intrusion prevention system (NIPS) for the exam. Previously, in Chapter 3, “OS Hardening and Virtualization,” we discussed host-based intrusion detection systems (or HIDS). Although a great many attacks can hamper an individual computer, just as many network attacks could possibly take down a server, switch, router, or even an entire network. Network-based IDSs were developed to detect these malicious network attacks, and network-based IPSs were developed in an attempt to prevent them.

NIDS

A network intrusion detection system (NIDS) by definition is a type of IDS that attempts to detect malicious network activities, for example, port scans and DoS attacks, by constantly monitoring network traffic. Examples of NIDS include open source instances such as Snort (www.snort.org/), Bro (www.bro-ids.org/), and products from Enterasys (www.enterasys.com). A NIDS should be situated at the entrance or gateway to your network. It is not a firewall but should be used with a firewall. Because the NIDS inspects every packet that traverses through your network, it needs to be fast; basically the slower the NIDS, the slower the network. So the solution itself, the computer/device it is installed on and the network connections of that computer/device all need to be planned out accordingly to ensure that the NIDS does not cause network performance degradation.