Do I really need an IDS/NIDS?

I have a small home network which has various anti-malware/personal firewall software installed on the host systems (PCs) and a hardware firewall (Zywall 2 Plus) as perimeter protection.

There's a trend to expensiver firewall solutions called 'UTM' devices that unite intrusion prevention, anti-virus, URL- and spam filtering through licensed services (=annual fees). Though in the home segment such appliances are not common, I wonder whether it would make sense to invest in such a thing for my home network.

Agreed, an additional layer of security would make me feel better, but the costs for such systems and the annual fees are high, and because of my network topology I'd need to invest in another pair of WLAN bridges as well just to have an IPS.

I have no clue from what kind of attacks such a NIDS/IPS/IDS or however it's name is would save me from and if it would be beneficial at all if I need no URL etc. filter but only anti virus and intrusion protection.
Is a firewall vulnerable to intrusions from outside in general so I need additional protection (snort comes to my mind) or is there some other concept an IPS would be of value?

Any comments?

Andreas

 

Hello,
You do not need it.
Your firewall should do the trick.
And if you really itch, go for SmoothWall firewall - Linux, free + Snort.
Mrk

 

In my humble opinion you don't need it as Mrk says... The average home user is never going to see any "attacks".

 

Intrusion detection systems can catch some attacks that firewalls can't.

As one example, consider DNS Tunneling. A trojan, spyware, or rogue user may attempt to bypass your firewall via a DNS tunnel. It asks your trusted DNS server to lookup the following names:

direc.outside.com
tory_.outside.com
conte.outside.com
nts_o.outside.com
f_c_d.outside.com
dive_.outside.com

The IP address replies could also include encoded information. In fact, there's already an IP-over-DNS suite you can download for free.

Most hardware firewalls would only see DNS queries and replies being sent to a trusted local server and therefore permit them without warning. An intrusion detection system could note the high volume of DNS traffic and take action or warn you about the threat.

On the plus side, a firewall or HIPS software solution would have a 33% chance of stopping the malware according to recent tests.

How likely are you to come under attack, and what might you lose if one is successful?

 

Let me get this straight, that involves a trojan running on my computer? Not disregarding your information, just clarification.

And this would be useful also if i run some server software?

 

Correct. This involves a trojan or spyware running on your computer, or a rogue user attempting to bypass your firewall(s).

 

You can use TINY's IDS/IPS it's works ok

 

I also have a home network (3 computers,) protected by a router. Would ESS (Eset Smart Security) or KIS's IDS systems really provide me more protection than Comodo does?