Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Everything you need to know about IDSes

Related linksToday's breaking news
Send to a friendFeedback

By Joel Snyder
Network World, 04/08/02

I've spent the past few months immersed in intrusion-detection systems and have learned more than I really wanted to know about them. In case you're wondering if you need an IDS, here are some points to keep in mind:

  • An IDS is only as good as its configuration. In order to tell whether something is amiss, an IDS needs to know everything about your network. For example, if you have Web servers running on Port 80 and Port 8008 on your network, you'd better tell your IDS, or it's not going to look in the right places. IDSes need to know not only where the server is running, but also which software it's running and even which version, in some cases. IDSes behave very differently if you're running Microsoft's Internet Information Server than Netscape's server. Be prepared to perform a thorough audit of your network before you turn the IDS on.

  • IDSes are dumb. You have to tell them everything or you'll be supersaturated with false positive alerts. Even if you do tell them everything, you'll still find IDSes are always one step or two behind the latest attack. IDS products on the market don't use artificial intelligence or neural networks; they look for patterns that match known problems. If any of the popular attacks is changed by a single octet, the IDS may be unable to detect it. Make sure your IDS vendor has a plan for keeping your attack signatures updated constantly.

  • You need to know a lot of details. When evaluating IDSes, you need to know the different ways in which they operate. Stateful matching, context matching, protocol anomaly, pattern searching - all these terms have to be second nature when you're selecting a product. And not all IDSes perform the same function to the same level of detail. If you haven't learned the ins and outs of TCP/IP yet, be ready for a new education.

  • Be prepared to spend a lot of time - and money. Whether you purchase a fully configured IDS or roll out your own with the freeware Snort, be prepared to spend time and money getting the IDS configured and installed. IDSes also take a lot of time to manage and administer on a daily basis. Every IDS vendor seeks to reduce false positive reports, but you're going to go through a lot of them before you get your IDS tuned.

  • The PR wars are in full swing. Even though the product niche is small and relatively new, products are already suffering from feature-creep. Even features that look useful at first, such as active attack evasion, seem less than perfect when you examine them closely. Be sure to evaluate the risks and rewards of some of these newer features.

    Don't get me wrong - IDS products have a definite place in corporate networks. Just don't expect them to be easy.

    • RELATED LINKS

    Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

    Read more of Snyder's

    Bottom Line columns.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
    * HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

    Contact us | Terms of Service/Privacy | How to Advertise
    Reprints and links | Partnerships | Subscribe to NW
    About Network World, Inc.

    Copyright, 1994-2006 Network World, Inc. All rights reserved.