NIST guide to IDP systems

The long view of security strategies for your network.

As I mentioned in a previous column, there’s a new set of draft documents from the Computer Security Resource Center of the U.S. National Institute of Standards and Technology (NIST).

SP 800-94, “Guide to Intrusion Detection and Prevention (IDP) Systems” is intended to assist organizations in understanding intrusion detection system (IDS) and intrusion prevention system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention (IDP) solutions.

It provides practical, real-world guidance for each of four classes of IDP products: network-based, wireless, network behavior anomaly detection software, and host-based. The publication also provides an overview of complementary technologies that can detect intrusions, such as security information and event management software.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As I mentioned in a previous column, there’s a new set of draft documents from the Computer Security Resource Center of the U.S. National Institute of Standards and Technology (NIST).

SP 800-94, “Guide to Intrusion Detection and Prevention (IDP) Systems” is intended to assist organizations in understanding intrusion detection system (IDS) and intrusion prevention system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention (IDP) solutions.

It provides practical, real-world guidance for each of four classes of IDP products: network-based, wireless, network behavior anomaly detection software, and host-based. The publication also provides an overview of complementary technologies that can detect intrusions, such as security information and event management software.

It focuses on enterprise IDP solutions, but most of the information in the publication is also applicable to stand-alone and small-scale IDP deployments. The publication replaces NIST SP 800-31, Intrusion Detection Systems.

The document was written by Karen Kent and Peter Mell and has the following structure:

1. Introduction
2. Intrusion Detection and Prevention Principles
3. Overview of IDP Technologies
4. Network-Based IDP
5. Wireless IDP
6. Network Behavior Anomaly Detection Software
7. Host-Based IDP
8. Using and Integrating Multiple IDP Technologies
9. IDP Product Selection

Highlights of the recommendations (quoted from the Executive Summary) include:

* Organizations should ensure that all IDP components are secured appropriately.
* Organizations should consider using multiple types of IDP technologies to achieve more comprehensive and accurate detection and prevention of malicious activity.
* Organizations planning to use multiple types of IDP technologies or multiple products of the same IDP technology type should consider whether or not the IDPs should be integrated.
* Before evaluating IDP products, organizations should define the requirements that the products should meet.
* When evaluating IDP products, organizations should consider using a combination of several sources of data on the products’ characteristics and capabilities.

As usual, the document includes a glossary (Appendix A), a list of acronyms (Appendix B) and an extensive list of print and online resources pertaining to IDP systems and charts showing vendors of various types of products:

* Common Enterprise Network-Based IDP Systems (20 product lines)
* Common Enterprise Wireless IDP Systems (8 products)
* Common Enterprise NBAD (network behavior anomaly detection) Systems (7 companies)
* Common Enterprise Host-Based IDP Products (12 product lines)

If readers have comments for improvement of the documents, they can submit them by Oct. 20, 2006.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.