Have you implemented an intrusion detection system (network-based)?
Explanation
Network monitoring is the subject of this control, asking whether you have deployed a network-based intrusion detection system to spot malicious traffic.
A Network-based Intrusion Detection System is a security technology that monitors network traffic for suspicious activity and policy violations. It analyzes network packets to detect known attack signatures or anomalous behavior that might indicate a security breach or attempted breach. Unlike host-based IDS (which runs on individual servers or endpoints), a network-based IDS monitors traffic across the entire network.
This question is being asked in a security assessment because NIDS is considered a fundamental security control for detecting potential network-based attacks. It helps organizations identify threats that have bypassed preventative controls like firewalls. Without intrusion detection capabilities, an organization might not be aware of ongoing attacks or compromises until significant damage has occurred.
When answering this question, you should:
- Clearly state whether you have implemented a network-based IDS
- Provide details about the specific solution(s) you've deployed (vendor/product)
- Mention where in your network architecture the IDS is deployed (at network perimeter, between network segments, etc.)
- Explain how alerts are monitored and responded to
- Note any integration with other security tools like SIEMs
If you don't have a network-based IDS, you should explain what compensating controls you have in place to detect network-based attacks.
Example Responses
Example Response 1
Yes, we have implemented a comprehensive network-based intrusion detection system We use Cisco Secure IDS deployed at our network perimeter and between critical network segments The system monitors all traffic entering and leaving our network, as well as traffic between our production and management networks Our IDS is configured with both signature-based detection for known threats and anomaly-based detection for identifying unusual patterns All alerts are forwarded to our Security Information and Event Management (SIEM) system where they are correlated with other security events and monitored 24/7 by our Security Operations Center (SOC) Critical alerts trigger automated notifications to our security team, who follow documented incident response procedures.
Example Response 2
Yes, we utilize Suricata as our network-based intrusion detection system It is deployed in a distributed architecture with sensors at our internet edge, data center perimeter, and between internal network zones Our Suricata implementation uses regularly updated threat intelligence feeds to detect known malicious activity, and we've developed custom rules specific to our environment and applications The IDS logs are aggregated into our Elastic Stack deployment where automated analysis occurs Our security team reviews alerts during business hours, with critical alerts triggering PagerDuty notifications for immediate response We conduct monthly reviews of IDS effectiveness and tune rules to minimize false positives while maintaining detection capabilities.
Example Response 3
No, we have not implemented a dedicated network-based intrusion detection system Instead, we rely on our next-generation firewall's built-in threat detection capabilities, which provide some intrusion detection functionality but not as comprehensive as a dedicated NIDS solution We recognize this as a gap in our security architecture and have included the implementation of a proper network-based IDS in our security roadmap for the next fiscal quarter In the interim, we've enhanced our endpoint detection and response (EDR) solution coverage across all systems and implemented more extensive logging and monitoring to help detect potential intrusions through other means We're also conducting more frequent vulnerability assessments to identify and address potential entry points before they can be exploited.
Context
- Tab
- Infrastructure
- Category
- Firewalls, IDS, IPS, and Networking
Related questions
- Are you utilizing a stateful packet inspection (SPI) firewall?
- Do you have a documented policy for firewall change requests?
- Do you employ host-based intrusion detection?
- Are audit logs available for all changes to the network, firewall, IDS, and IPS systems?
- Is authority for firewall change approval documented? Please list approver names or titles in Additional Info.
- Have you implemented an intrusion prevention system (network-based)?

