An organization wants to detect and alert on potential network intrusions but does not want to risk blocking legitimate traffic. Which system should they deploy?
A NIDS is passive and only alerts on potential intrusions without blocking traffic, avoiding false positives that block legitimate traffic.
Why this answer
A Network-based Intrusion Detection System (NIDS) passively monitors network traffic and generates alerts when suspicious patterns are detected, but it does not take any inline action to block traffic. This makes it the correct choice for an organization that wants to detect and alert on potential intrusions without any risk of blocking legitimate traffic, as the NIDS operates out-of-band and cannot drop packets.
Exam trap
ISC2 often tests the distinction between detection (IDS) and prevention (IPS) by emphasizing that an IDS is passive and out-of-band, while an IPS is inline and can block traffic, so the trap here is confusing the alert-only capability of NIDS with the active blocking of NIPS or UTM appliances.
How to eliminate wrong answers
Option B is wrong because a Unified Threat Management (UTM) appliance typically includes intrusion prevention, antivirus, and content filtering that can actively block traffic, which introduces the risk of blocking legitimate traffic. Option C is wrong because a firewall with deep packet inspection (DPI) is an inline device that can drop or reject packets based on application-layer analysis, which could inadvertently block legitimate traffic. Option D is wrong because a Network-based Intrusion Prevention System (NIPS) is an inline device that actively drops or resets malicious traffic, directly contradicting the requirement to avoid blocking legitimate traffic.