- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Network intrusion-detection systems as a product class have been under attack recently, fueled by a series of recent Gartner reports, one of which was called "Intrusion detection is dead - long live intrusion prevention." In another, "Hype cycle for information security, 2003," Gartner opined "intrusion-detection systems are a market failure." With headlines like that, one might wonder why we did this review.
Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together.
Gartner's confusion is multiplied by the efforts of IPS vendors to create their own market niche, building on the misconceptions about network IDS. Network managers who bought network IDS expecting a set-it-and-forget-it magic bullet for network security have been disappointed, because that's not what network IDS is all about.
Rather than say what network IDS is not, it's more useful to say what it is. IDSs are designed as passive sensors to detect attacks, policy violations, misbehaviors and security misconfigurations.
As Gary Golomb, a longtime IDS researcher, notes, network IDS can provide the checks and balances on the security posture and implementation of the corporate network. "The IDS serves the single purpose of sitting back and watching over everything to see if people are still getting though," he says. "And here's a curve ball for you: After all the protective technologies [such as firewalls and virus scanners and VPNs are installed], attackers ... are still getting through! Whether it's because of vulnerabilities in network designs, application vulnerabilities or unknowingly misconfigured devices, they do get through."
Vendors such as NFR Security promote network IDS not only to detect break-ins, but also policy violations, such as passwords that are too short, FTP moving the wrong kind of files around or traffic between two systems that should not be talking. We take the position that network IDS is most appropriately deployed where an experienced security analyst with specific goals and tasks can manage it. Although network IDS can be used to answer the question "who broke into my system last week?" that's only one piece of the puzzle.
While network IDS vendors might want to market their products to network managers at all levels of experience, we find that to be an unreasonable expectation. Again, comparing network IDS to a protocol analyzer: Any midsize to large company needs one, but not everyone should be expected to know how to use it. The network IDS vendors have made great strides in reducing the noise level of IDS products and tried to make them usable by staff with varying levels of expertise.