Data Center	Management	LANs & WANs	Security	Software	Wireless	Top 10 lists

A firestorm of controversy exploded four years ago  when consulting firm Gartner declared that intrusion-detection systems that passively monitor for malicious traffic would be “dead” by 2005, a dinosaur wiped out by intrusion-prevention systems  that proactively block bad traffic.

Buying an IDS to monitor unwanted traffic is a waste of time and money, Gartner stated, urging enterprise managers to start
buying in-line IPS products and step up to the plate and block the attack traffic comin’ at ‘em, primarily from the Internet.
Blocking the bad traffic with an in-line IPS opened the possibility of mistakenly blocking good traffic, too, yelped IDS proponents.

IPS products in 2003 were mainly in their infancy and their accuracy deeply suspect. IDS — the most well-known and popular being open source Snort created by Martin Roesch in 1998 — was a known quantity. Sure, IDS had its drawbacks, sometimes generated false positive and negatives, and most people didn’t really know what to do with the massive amount of information netted in the monitoring process.

But Gartner saying IDS is dead? 

“I find the logic behind their conclusions significantly flawed and their recommendations incomprehensible,” was the response at the time from Roesch, CTO at Sourcefire, founded in 2001 to commercialize Snort. “To be fair, Gartner’s concerns have some basis in fact,” he conceded, adding, “Undoubtedly, IDS must continue to evolve in order to fully realize its potential.”

Today, the issue is largely a moot point as IPS products on the market — which typically rely on IDS detection techniques to flag a problem — tend to operate in a mixed mode, allowing managers to boldly block malicious traffic or passively monitor, or both, depending on the configuration. Security vendors are often coy about breaking out figures on IDS and IPS, but IDC believes IPS began overtaking IDS in 2005. Continuous testing by independent sources helps with determining strengths and weaknesses in IPS.

“I wouldn’t want to go back to IDS,” says Dwayne Manley, systems and networking manager at Centrex Clinical Laboratories in New Hartford, N.Y., which is shifting from IDS to IPS. “With IDS, I’d like to analyze all those logs but I and my staff don’t have time. All it does is monitor.”

The downside of IPS in Centrex Clinical labs’ experience, though, is that “IPS slows traffic down,” Manley says. “But do I care if it’s slower? Not really.”

A Network World product test last year found evidence some IPS products aren’t as accurate at higher speeds as at low ones. But four years after Gartner declared IDS dead, Gartner Analyst Jeffrey Wheatman wonders why it was so controversial. “IPS makes decisions and antivirus has been doing that for years.”

< Return to the list of arguments >