Network intrusion-detection systems as a product class have been under attack recently, fueled by a series of recent Gartner reports, one of which was called "Intrusion detection is dead - long live intrusion prevention." In another, "Hype cycle for information security, 2003," Gartner opined "intrusion-detection systems are a market failure." With headlines like that, one might wonder why we did this review.

Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security  analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together.

Gartner's confusion is multiplied by the efforts of IPS vendors to create their own market niche, building on the misconceptions about network IDS. Network managers who bought network IDS expecting a set-it-and-forget-it magic bullet for network security have been disappointed, because that's not what network IDS is all about.

Rather than say what network IDS is not, it's more useful to say what it is. IDSs are designed as passive sensors to detect attacks, policy violations, misbehaviors and security misconfigurations.

As Gary Golomb, a longtime IDS researcher, notes, network IDS can provide the checks and balances on the security posture and implementation of the corporate network. "The IDS serves the single purpose of sitting back and watching over everything to see if people are still getting though," he says. "And here's a curve ball for you: After all the protective technologies [such as firewalls and virus scanners and VPNs are installed], attackers ... are still getting through! Whether it's because of vulnerabilities in network designs, application vulnerabilities or unknowingly misconfigured devices, they do get through."