Skip Links

IDS finds niche as analytical tools

By Joel Snyder, David Newman and Rodney Thayer, Network World Global Test Alliance, Network World
October 13, 2003 12:10 AM ET

Network World - Network intrusion detection systems can be highly useful additions to your enterprise security arsenal. They provide unique visibility into your networks and offer powerful forensics tools that help detect how and when your network was attacked.

IDSs are not for every network, but when they are deployed in the right place, at the right time and monitored by the right network security professional, it's the right kind of product.

Those are the conclusions we reached based on our tests of five IDS products handling live Internet traffic for 60 days in real-world scenarios.

We tested these products as we did last year in front of multiple live networks that were open to Internet attacks. While last year's testing centered on simple detection, we went beyond that this year to focus on specific scenarios that an enterprise security manager would encounter.

We found that while false positives are still a problem, they are much less of a problem than they were last year as the vendors have gotten much better at managing the flood of false alarms.

While we invited more than a dozen vendors to participate, only Barbedwire TechnologiesCiscoInternet Security Systems (ISS), Intrusion and NFR Security took part in the end. (See "Equipped to play" for detailed description of the hardware and software each vendor brought to the test.)

Overall, we found that different products have different strengths, depending on your needs, such as:

•  ISS has the most powerful management and analysis tool kit.

•  Cisco provides a great deal of flexibility with its sensors and tight integration with its routers and switches. But its overall management lags the competition.

•  NFR is best if you're going to be writing a lot of your own attack signatures.

•  Intrusion's product set is nearly as strong as ISS, but with considerable rough edges and some notable gaps.

•  We were less enthusiastic about Barbedwire's appliance. Its IDS implementation does not meet the needs of the enterprise network.

Scenario 1: What happened to Paul?

Before the big viruses hit in August, one of our IDS-protected Windows 2000 systems - named Paul - was cracked and being used as a zombie to scan other systems. We wanted to know who broke in and how.

Most products distinguished between alerting and forensics. In alerting, IDSs bring recent high-priority events to your attention. In forensics, they let you dig down to find the source of the problem.

Some products were very modal: You're either working in alert mode or in forensics mode, and there's a barrier between them. Intrusion, NFR and Cisco (with its Cisco Threat Response [CTR] alerting console it picked up through the acquisition of Psionics earlier this year) fell into this category.

ISS and Cisco's original IDS Management Console didn't differentiate between the two types of analysis. Barbedwire also takes a combined approach, mixing forensics and alerting into one interface.

We figured that because Paul got hit on a Friday, there should be a nice, juicy alert sitting there when we logged on Monday.

Intrusion's team had tuned our system to dump alerts after three days, so there was nothing to be seen. We adjusted the thresholds and discovered a nice feature: High-priority alerts can age differently than low-priority alerts. Not a massive competitive advantage, but a good sign that product developers thought about this. When we switched over to Intrusion's Forensics view, a handful of bugs in this early release prevented us from getting a good look at what that feature has to offer.

ISS impresses

Then we turned to ISS. ISS doesn't distinguish between alerts and forensics, but instead offers different views of the same data within SiteProtector, ISS' tool for managing and analyzing information collected from its security tools suite. One powerful feature is its automatic summarization function. Events are grouped wherever possible to reduce the report size. It was easy to confirm that Paul was hacked and when it happened.

To go from the "when did Paul get cracked" screen to "how did it happen," copy the IP address with a right-click, paste it into the same screen, and select a different view of the data. Wait 8 seconds, and there's your answer. Seems simple, but it was a sharp contrast to other products that don't have as sophisticated an interface for slicing, dicing, sorting and finding data.

SiteProtector now had a short list of events, of which six were listed as high priority. Powerful forensics capabilities let you identify attackers and see what else they might have been doing. More importantly, ISS' event management tool lets network managers dump the most interesting events into an "incident" folder and quickly generate a short list of research action items for any node. The linkage between events and ISS' X-Force database, with exact links to explanations and patch locations, gave us a huge head start on tracking down the problem.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News