What Is a Network Intrusion Detection System (IDS)? Why a Firewall Alone Is Not Enough for Singapore SMEs
A firewall controls what traffic enters and leaves your network. An IDS watches what is happening inside it — detecting the threats that are already through the door and moving quietly between your systems.
When Singapore SME owners think about network security, the firewall is usually the first and often the only control that comes to mind. Firewalls have been the standard answer to “how do you protect your network?” for decades, and for good reason — they are a fundamental and necessary layer of defence. But the assumption that a firewall provides comprehensive network security is one of the most persistent and consequential misconceptions in small business cybersecurity.
A firewall controls the boundary. It decides what traffic is allowed in and what is blocked at the perimeter. What it does not do is monitor what happens inside the network after traffic has been permitted through. An attacker who gains initial access — through a phishing email, a compromised device, a stolen VPN credential, or a vulnerability in an internet-facing system — has passed the firewall. They are now inside your network, and a firewall has nothing more to tell you about what they do next. They can move between systems, access shared drives, search for sensitive data, escalate their permissions, and prepare for ransomware deployment — all of it occurring within the network boundary that the firewall was protecting, all of it invisible to the firewall that let them in.
A Network Intrusion Detection System — IDS — is the security function that watches the inside of the network. It monitors the traffic flowing between your devices, servers, and systems, looking for patterns that indicate something suspicious is happening — an attacker moving laterally, malware communicating with an external server, unusual volumes of data being transferred before exfiltration. Where the firewall controls the boundary, IDS monitors the interior. Both are necessary, because the real damage of most cyber attacks happens not at the moment of initial access, but in the time that follows it.
A Network Intrusion Detection System (IDS) is a cybersecurity tool that monitors network traffic — the data flowing between devices, systems, and the internet — to detect suspicious activity and alert security teams when potential threats or attacks are identified.
- Network — the connections between your office devices, servers, cloud systems, and the internet
- Intrusion — unauthorised or suspicious activity within those connections, including attacker movement and malware communication
- Detection — identifying those patterns and generating alerts so they can be investigated and acted upon
Is Anyone Watching What Is Happening Inside Your Network?
Most SMEs rely on firewalls with no visibility into internal network activity. This quick check helps identify where your network security gaps are — no technical knowledge required.
Take the 60-Second Cyber Health Check Free · No obligation · Built for Singapore SMEs- What is a Network Intrusion Detection System?
- Firewall vs IDS — why one is not enough without the other
- How attackers move inside networks — and what IDS detects
- Real SME example: an accounting firm
- Types of intrusion detection systems
- IDS vs IPS vs firewall vs EDR — understanding the stack
- Signs your business lacks internal network visibility
- How Singapore SMEs can improve network detection
- Frequently asked questions
What Is a Network Intrusion Detection System?
A Network Intrusion Detection System (IDS) is a cybersecurity tool that monitors the traffic flowing across your network — between devices, servers, cloud systems, and the internet — and generates alerts when it detects patterns that indicate suspicious or potentially malicious activity.
Think of your business network as a building. The firewall is the security checkpoint at the entrance — it checks who is coming in and turns away obvious threats. An IDS is the security monitoring system inside the building — the cameras watching every corridor and room, noting when someone is behaving in a way that does not match a legitimate visitor: opening doors they should not be opening, carrying items they should not be carrying, moving in patterns that suggest they are looking for something rather than going somewhere they belong.
IDS operates by examining network traffic in real time, comparing what it sees against two categories of detection criteria: known attack signatures (patterns associated with documented attack techniques and malware communication) and behavioural baselines (what normal traffic looks like in this specific environment, so that deviations are flagged). When traffic matches either a known attack pattern or an anomaly relative to established norms, the IDS generates an alert for investigation.
A network IDS monitors for a range of suspicious traffic patterns, including:
- Devices communicating with known malicious IP addresses or domains
- Unusual data transfers — large volumes of data moving to unexpected destinations
- Lateral movement — devices on the internal network attempting to connect to other devices in unusual patterns
- Port scanning — automated probing of systems to find open services and entry points
- Malware command-and-control communication — compromised devices contacting attacker-controlled servers
- Protocol anomalies — traffic that uses network protocols in ways that deviate from normal specifications
Firewall vs IDS — Why One Is Not Enough Without the Other
Understanding what a firewall does and does not do is the foundation of understanding why IDS is necessary. These two tools address different parts of the same problem — and a gap between them is where most post-entry attack activity goes undetected.
| Capability | Firewall | IDS |
|---|---|---|
| Primary function | Controls and filters traffic at the network boundary — allowing or blocking connections based on defined rules | Monitors traffic within and across the network — detecting suspicious patterns that indicate a threat is active |
| Where it operates | At the perimeter — between your internal network and the internet, and between network segments | Inside the network — watching traffic between internal devices as well as between internal systems and external destinations |
| Handles permitted traffic | No — once traffic is allowed through, the firewall has no further visibility into it | Yes — IDS monitors all traffic on the network segment it covers, including traffic that the firewall permitted |
| Detects attacker movement after initial access | No — lateral movement between internal devices does not pass through the perimeter firewall | Yes — internal network traffic generated by an attacker moving between systems is visible to IDS |
| Detects data exfiltration | Partially — can block traffic to known malicious destinations, but cannot analyse whether permitted outbound traffic contains sensitive data | Yes — large or unusual outbound transfers, connections to unexpected destinations, and anomalous transfer patterns are detectable |
| Takes action on threats | Yes — blocks traffic that matches its rules | No — IDS detects and alerts, but does not block (that is the function of an IPS — Intrusion Prevention System) |
The practical implication for Singapore SMEs is straightforward: a firewall protects against threats that arrive at the perimeter and match known block rules. The moment an attacker is inside — through a compromised employee account, a phishing-delivered malware infection, or a vulnerability in an internet-facing system — the firewall has exhausted its protective function. IDS picks up where the firewall ends.
How Attackers Move Inside Networks — and What IDS Detects
Once an attacker has initial access to your network, their subsequent actions follow a recognisable pattern. This sequence — called lateral movement and post-exploitation — is where the most damaging phases of an attack occur, and where IDS monitoring provides its most critical value.
| Stage | What the attacker does | Network traffic generated | What IDS detects |
|---|---|---|---|
| 1. Establish foothold | Malware on a compromised device makes contact with an external command-and-control server to receive instructions | Outbound connections from internal device to external IP addresses — often using standard web ports (80, 443) to blend in | Connections to known malicious IPs or domains, unusual outbound connection patterns from devices that do not typically communicate externally |
| 2. Network reconnaissance | Attacker scans the internal network to identify other devices, shared drives, servers, and potentially valuable targets | Systematic probing traffic from the compromised device to multiple internal IP addresses in quick succession | Internal port scanning patterns — a device attempting connections to many other devices in the network within a short timeframe |
| 3. Lateral movement | Attacker uses discovered credentials or vulnerabilities to move from the initial compromised device to other systems on the network | Unusual authentication attempts and connections between internal devices — particularly devices that do not typically communicate directly | Abnormal device-to-device connection patterns, failed authentication attempts across multiple internal systems, unusual use of remote access protocols between internal devices |
| 4. Data access and staging | Attacker accesses files, databases, and shared drives — copying or aggregating target data for later exfiltration | Elevated traffic between the compromised device and file servers or storage systems — unusual access volumes | Unusual spike in traffic to file servers from a specific device, bulk data transfer patterns inconsistent with normal usage |
| 5. Exfiltration | Attacker transfers collected data outside the network — to cloud storage, email addresses, or attacker-controlled servers | Large outbound data transfer to an external destination — potentially using encrypted channels or legitimate services to blend in | Outbound transfer volume significantly above baseline for the device or time period, transfers to new or unusual external destinations, use of protocols associated with data exfiltration |
Each of these stages generates network traffic that IDS is specifically designed to detect. The attacker’s activity is not invisible — it produces signals that, without IDS monitoring, simply pass unnoticed through the network. With IDS monitoring and active alert review, these signals surface at stages 1 or 2 — before lateral movement to sensitive systems has occurred, and long before data exfiltration or ransomware deployment can take place.
Many SME cyber incidents are not detected because businesses focus only on blocking threats at the perimeter — and have no visibility into what happens after an attacker is inside. The firewall did not fail. The attacker simply found a way through it — a phishing email, a stolen credential, a compromised vendor device connecting to the network. Once through, they had the run of the network with no one watching.
IDS does not prevent initial access. It changes what happens after initial access — from weeks of invisible attacker operation to hours of visible, alertable, and actionable network activity.
Key Takeaways- Firewalls control what enters the network — IDS monitors what happens inside it
- Post-access attacker movement generates detectable network traffic that IDS is designed to surface
- Detection inside the network is what converts a silent breach into an actionable incident
Real SME Example: A Singapore Accounting Firm
An accounting firm serving small and medium businesses handles client financial statements, tax filings, and payroll data. Staff work from a shared office network with a mix of Windows desktops and laptops, a file server holding client documents, and a cloud accounting platform accessed through web browsers.
A staff accountant receives a phishing email appearing to come from a cloud service the firm uses for client document sharing. She clicks a link and enters her Windows login credentials on a convincing-looking fake page. The attacker has captured her credentials and gains remote access to her workstation that evening.
Using her workstation as an entry point, the attacker spends 40 minutes scanning the firm’s internal network — probing other devices and the file server to map what is accessible. This generates a distinctive pattern: her workstation attempts connections to 23 different internal IP addresses within 40 minutes, far outside the normal behaviour of an office computer during the evening. The traffic pattern matches known network reconnaissance behaviour.
The attacker then connects to the file server using credentials cached on the accountant’s workstation and begins accessing client folders — generating sustained, high-volume file server traffic from a single device at 10pm on a Tuesday. Over the next three days, the attacker returns twice, accessing additional client folders and eventually accessing the payroll data for twelve of the firm’s clients.
The firm’s network has a firewall — it did not block any of this activity, because it occurred on the internal network using legitimate-looking connections and permitted protocols. The firm has no IDS. The breach is discovered only when a client reports suspicious activity in their payroll records three weeks after the initial compromise.
With IDS monitoring: the reconnaissance scan on night one — 23 connection attempts from a single internal device within 40 minutes, at 10pm — would have generated a network anomaly alert within minutes. The file server access volume at 10pm would have been flagged as a deviation from baseline. The attacker would have been identified and the device isolated before reaching the payroll data.
This scenario reflects the pattern that makes accounting, legal, and professional services firms particularly high-value targets in Singapore: they hold financial and personal data for multiple businesses under a single network. A breach of one device potentially exposes client data across the entire portfolio. The reputational and financial consequences of a breach at this scale — across multiple clients simultaneously — are disproportionately severe for a small firm.
Types of Intrusion Detection Systems
IDS comes in several configurations, each providing visibility into a different part of the network environment. Understanding these helps clarify what coverage different implementations provide.
| Type | Where it operates | What it monitors | Best suited for |
|---|---|---|---|
| Network-based IDS (NIDS) | A dedicated point on the network — typically connected to a network switch — where it can observe all traffic flowing across the segment | All network traffic between devices on the monitored segment — east-west traffic between internal devices as well as north-south traffic to and from the internet | Detecting lateral movement, reconnaissance, command-and-control communication, and data exfiltration patterns |
| Host-based IDS (HIDS) | On individual devices — similar to EDR in concept, monitoring the network activity and file system activity of a specific device | Network connections initiated by or received by that specific device, plus file access patterns and system activity | Detecting suspicious behaviour specific to a single device — complements NIDS rather than replacing it |
| Signature-based detection | Applies across NIDS and HIDS implementations — a detection methodology rather than a deployment type | Traffic that matches documented attack signatures — known malware communication patterns, known exploit traffic, documented attacker techniques | Detecting known attacks quickly and with high confidence — effective but limited to documented threats |
| Anomaly-based (behavioural) detection | Also a methodology rather than a deployment type — applies within NIDS and HIDS | Traffic that deviates from the established baseline of normal network behaviour — flagging unusual patterns even if they do not match a known attack signature | Detecting novel attacks, zero-day exploits, and insider threats that do not match documented signatures |
Modern IDS implementations typically combine both signature-based and anomaly-based detection — using known attack signatures for confident detection of documented threats, and behavioural analysis to catch threats that have not yet been documented. The most effective deployment for Singapore SMEs combines network-level NIDS with endpoint monitoring (EDR) to provide both network-wide and device-specific visibility.
IDS vs IPS vs Firewall vs EDR — Understanding the Stack
Several closely related security tools address different aspects of detection and prevention — and understanding how they relate helps clarify what each one contributes to a complete security posture.
| Tool | What it does | Does it block? | Where it operates |
|---|---|---|---|
| Firewall | Controls traffic at the network boundary — allowing or blocking connections based on defined rules about source, destination, and protocol | Yes — blocks traffic that matches its rules at the network perimeter | Network boundary (perimeter) |
| IDS (Intrusion Detection System) | Monitors network traffic for suspicious patterns — generating alerts when threats are detected, but not blocking traffic | No — detects and alerts only | Inside the network (post-perimeter) |
| IPS (Intrusion Prevention System) | Like IDS, but with the ability to automatically block traffic it identifies as malicious — combining detection and active prevention | Yes — can automatically block detected threats in real time | Inside the network, or at the perimeter alongside a firewall |
| EDR (Endpoint Detection and Response) | Monitors activity on individual devices — tracking processes, file access, and device-level network connections to detect suspicious behaviour on endpoints | Partially — can isolate a device or terminate processes, but primarily focused on detection and investigation | On individual devices (endpoints) |
Firewall — controls the perimeter. Blocks known bad traffic at the boundary.
IDS — watches the interior. Alerts when suspicious patterns appear inside the network, including traffic the firewall permitted.
IPS — watches and blocks. An evolution of IDS that can automatically stop detected threats rather than just alerting on them.
EDR — watches individual devices. Complements IDS by providing device-level visibility that network monitoring alone cannot see.
For most Singapore SMEs, the practical path is engaging a managed security provider whose service incorporates IDS/IPS capability alongside EDR and cloud monitoring — delivering comprehensive visibility across the network and device layers without requiring the business to deploy and manage each tool independently.
Signs Your Business Lacks Internal Network Visibility
Most Singapore SMEs have firewalls but no internal network monitoring. These indicators suggest your network security may have a significant post-perimeter visibility gap.
- Your network security is described primarily in terms of your firewall — you have not discussed IDS, IPS, or internal traffic monitoring with your IT provider
- If an attacker gained access to your network through a compromised staff device today, you would have no mechanism to detect their subsequent movement between internal systems
- You have no visibility into whether devices on your internal network are communicating with external servers they would not normally contact
- A staff device infected with malware could communicate with an attacker’s command-and-control server continuously, and no alert would be generated unless the firewall happened to have that specific server on its block list
- You have remote workers connecting to your network via VPN — but no monitoring of what their devices do on the network once connected
- Your IT provider manages your firewall but has not mentioned internal network traffic monitoring, anomaly detection, or IDS as part of your security coverage
- You have never received an alert about unusual internal network traffic — not because nothing unusual has occurred, but because no system is watching for it
How Singapore SMEs Can Improve Network Detection
Deploying and operating a standalone IDS requires network expertise and ongoing management. For most Singapore SMEs, the practical route is through a managed security provider whose service incorporates network intrusion detection as part of a broader monitoring capability.
| Step | What it involves | Why it matters |
|---|---|---|
| Assess your current network visibility | Ask your IT provider specifically: is there any monitoring of internal network traffic between devices on our network? If the answer is no or uncertain, the gap is present. | Most SMEs discover at this stage that their firewall is their only network security control — with no post-perimeter detection capability |
| Implement network traffic monitoring | Engage a managed security provider who incorporates network traffic analysis into their service — watching internal traffic patterns alongside perimeter controls | Network monitoring provides visibility into attacker movement that firewall logs and endpoint tools cannot see independently |
| Segment your internal network | Where possible, separate different parts of your network — staff devices, servers holding sensitive data, and systems accessible by third parties — so that a compromise in one segment does not automatically give access to others | Network segmentation reduces the damage potential of lateral movement — an attacker who compromises a staff device cannot automatically reach the server holding client financial data if they are on separate network segments |
| Combine IDS with EDR and cloud monitoring | IDS watches the network; EDR watches individual devices; cloud monitoring watches your cloud platforms. Together they provide visibility across all three layers where attacks occur. | No single monitoring layer covers the full attack surface. Combining network, endpoint, and cloud monitoring eliminates the visibility gaps that sophisticated attackers exploit |
| Ensure alerts are monitored in real time | IDS alerts are only valuable if someone reviews them immediately. Engage a provider with real-time alert monitoring — not batch review the following morning. | An attacker who performs reconnaissance at 10pm and is not detected until 9am the next day has had 11 hours to move through your network unimpeded |
For businesses building out their broader security posture alongside network monitoring, the essential cybersecurity checklist for Singapore SMEs covers the foundational controls that work alongside IDS to reduce the risk of initial network compromise. The cybersecurity risk assessment checklist specifically addresses network security coverage as a component of overall posture assessment.
When we review network security for Singapore SMEs, the conversation about what happens after an attacker is inside the network consistently reveals the same gap. Businesses have firewalls. They have antivirus on devices. They may have endpoint protection. But none of those tools watch what is happening between devices on the internal network — and that is precisely where attacker lateral movement, reconnaissance, and data staging occur.
IDS is not a replacement for any of those controls. It is the complementary layer that covers the space between them — the interior of the network that firewalls protect the boundary of but do not monitor the inside of.
Key Takeaways- Firewalls control the perimeter — IDS monitors what happens inside it
- Post-access attacker activity generates network traffic that is detectable if someone is watching
- Internal network visibility is the missing layer in most Singapore SME security postures
Not Sure Whether Your Business Network Is Being Monitored From the Inside?
Find out where your network security gaps are in under a minute — no technical knowledge required.
Take the 60-Second Cyber Health Check Free · No obligation · Built for Singapore SMEsFrequently Asked Questions
What is the difference between an IDS and a firewall?
A firewall controls traffic at the network boundary — it decides what connections are allowed in and out based on predefined rules. Once traffic is permitted through the firewall, the firewall has no further visibility into it. An IDS monitors traffic inside the network — watching what happens after the firewall has made its decision, including traffic between internal devices that never passes through the perimeter firewall at all. Firewalls prevent; IDS detects. Both are necessary because not all threats can be prevented at the perimeter, and what happens inside the network after initial access is where the most serious damage typically occurs.
What is the difference between an IDS and an IPS?
An IDS (Intrusion Detection System) detects suspicious network activity and generates alerts — but does not take action to block the traffic. An IPS (Intrusion Prevention System) does both — it detects suspicious traffic and can automatically block it in real time. An IPS is effectively an IDS with a response capability added. For Singapore SMEs, many modern network security solutions combine IDS and IPS functionality, allowing both detection and automated blocking of identified threats. The distinction matters because IDS requires a human to review and act on alerts, while IPS can contain some threats automatically — though automated blocking also carries a risk of false positives blocking legitimate traffic if not properly tuned.
Does my managed IT provider already run an IDS on my network?
Possibly, but it is worth asking directly. Many managed IT providers focus on maintaining infrastructure rather than actively monitoring for security threats — and “managing the network” may mean managing the firewall and connectivity without including internal network traffic monitoring. Ask specifically: “Is there any active monitoring of traffic between devices on our internal network, and do you receive alerts if unusual communication patterns are detected?” The answer will clarify whether IDS capability is present in your current arrangement.
Does IDS work for businesses with remote workers?
IDS in the traditional sense monitors your office network — so remote workers connecting via VPN are included while VPN-connected, but devices operating outside the VPN are not covered by network-level IDS. This is one reason why EDR on individual devices is a complementary and important layer — it provides device-level monitoring that follows the device regardless of network location. For businesses with significant remote or hybrid workforces, a combination of network IDS (covering the office network and VPN traffic) and EDR (covering devices wherever they operate) provides the most complete visibility. For more on remote work security risks, our dedicated guide covers the broader considerations.
Can IDS detect ransomware?
Yes — IDS is effective at detecting several of the network-level indicators that precede and accompany ransomware attacks. Before encryption, ransomware typically performs network reconnaissance (detectable as internal scanning traffic), communicates with command-and-control servers (detectable as unusual outbound connections), and may move laterally to connected devices and network shares (detectable as abnormal device-to-device communication). These activities generate network traffic signatures that IDS is specifically designed to flag. Early IDS detection of these precursor activities creates the opportunity to isolate the affected device before ransomware encryption begins.
How does IDS fit with MDR?
IDS is a detection tool — it monitors network traffic and generates alerts when suspicious patterns are identified. MDR is a service that incorporates IDS (among other monitoring capabilities) with a security team that reviews alerts, investigates detected threats, and takes response action. IDS without a team monitoring its alerts provides detection data that no one acts on. MDR with IDS provides both the network-level detection and the human response capability that converts an alert into a contained incident. For Singapore SMEs, a managed security provider whose service includes IDS monitoring within an MDR framework is the most practical way to achieve both network visibility and active response.
Is IDS relevant for cloud environments, not just office networks?
Traditional network IDS is designed for on-premise networks where the business controls the infrastructure. For cloud environments — Microsoft 365, Google Workspace, SaaS applications — cloud security monitoring provides the equivalent function: watching activity within the cloud environment for suspicious patterns. Most modern managed security services incorporate both network-level IDS for office environments and cloud activity monitoring for cloud platforms — providing visibility across the hybrid environments that most Singapore SMEs now operate.
ArkShield is a Singapore-based cybersecurity firm built for SMEs. We provide network intrusion detection, Managed Detection and Response (MDR), endpoint monitoring, cloud security, and cybersecurity advisory — giving smaller businesses comprehensive visibility across their networks, devices, and cloud environments. We work with businesses across accounting, professional services, logistics, healthcare, finance, and retail. To learn more or speak with our team, visit arkshield.sg or reach us through our contact page.
This article is for general informational purposes only and does not constitute formal cybersecurity, legal, or compliance advice. Network security technologies and configurations evolve continuously — consult a qualified cybersecurity professional before making security decisions for your organisation. Scenarios described are illustrative, based on common incident patterns, and do not represent specific real-world cases. ArkShield accepts no liability for actions taken based on this content. By reading this article, you acknowledge our Privacy Policy. To report a potential security concern, refer to our Vulnerability Disclosure Policy. For enquiries, visit our contact page.
