Deploy NIDS/NIPS for Gateway Traffic Monitoring
Install and configure systems to detect and alert on unauthorized network traffic past the main firewall.
Plain language
This control is about placing systems that will watch over your network right inside your main firewall. These systems alert you if something suspicious gets through, which is crucial because it helps catch potential threats before they can do damage. Without it, harmful activities could go unnoticed, leading to data breaches or system disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
A NIDS or NIPS is located immediately inside the outermost firewall for gateways and configured to generate event logs and alerts for network traffic that contravenes any rule in a firewall ruleset.
Why it matters
Without a NIDS/NIPS inside the outermost gateway firewall, traffic breaching firewall rules may go unlogged and undetected, enabling compromise.
Operational notes
Place the NIDS/NIPS immediately inside the outermost gateway firewall and tune signatures to alert/log any traffic that contravenes firewall rules.
Implementation tips
- The IT team should install a Network Intrusion Detection System (NIDS) or Network Intrusion Prevention System (NIPS) just inside the main firewall. They can do this by choosing a reliable system, setting it up physically in the network, and ensuring it's plugged into the correct network segment.
- The IT manager should configure the NIDS/NIPS to monitor for suspicious traffic. This involves setting it up to compare network activity against a set of rules or patterns that signal unauthorised actions.
- System administrators should ensure the NIDS/NIPS generates logs and alerts. They need to configure the system to automatically record whenever it detects suspicious activities and send alerts to the security team.
- The security team should regularly review the alerts generated by NIDS/NIPS. They should check these alerts daily to understand if there are recurring issues and resolve them promptly.
- The procurement officer should ensure there is a budget for regular maintenance and updates of the NIDS/NIPS. This can be done by liaising with IT to understand the system's requirements and including these costs in the financial planning.
Audit / evidence tips
- AskThe network diagram: Request the document that shows where the NIDS/NIPS is installed GoodThe diagram should show the NIDS/NIPS placed immediately inside the main firewall
- AskThe alert log: Request logs from the NIDS/NIPS that record unusual activities GoodRegular entries indicating detection attempts with timestamps and actions taken
- AskConfiguration documentation: Request the setup guidelines for the NIDS/NIPS GoodDetailed configurations showing compliance with security standards and policies
- AskSecurity team training records: Request proof of staff training on responding to NIDS/NIPS alerts GoodRecent and regular training records with clear objectives and attendee lists
- AskA maintenance report: Request evidence of regular checks and updates GoodA report showing scheduled upkeep, software updates, and any issue resolutions
Cross-framework mappings
How ISM-1030 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | ISM-1030 requires NIDS/NIPS-generated event logs and alerts for gateway traffic that breaches firewall rules | |
| Annex A 8.16 | ISM-1030 requires deploying a NIDS/NIPS at the gateway perimeter and generating event logs and alerts for traffic that contravenes firewa... | |
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires networks to be secured, managed and controlled, which includes monitoring and detecting unauthorised or policy-viol... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML2.8 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| extension Depends on (1) expand_less | ||
| E8-AH-ML2.15 | E8-AH-ML2.15 requires organisations to analyse cyber security events in a timely manner to identify incidents | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.