• United States
Senior Editor, Network World

Security debate rages

Oct 06, 20038 mins
Intrusion Detection SoftwareNetwork SecurityNetworking

Intrusion-detection critics and backers still sparring months after Gartner salvo.

Strong aftershocks continue from the Gartner report that declared intrusion-detection technology dead and predicted the market for such products would be gone by 2005.

Strong aftershocks continue from the Gartner report that declared intrusion-detection systems dead and predicted the market for such products would be gone by 2005.

While the debate sparked by Gartner’s assessment remains unresolved, reverberations are evident in the product road maps of IDS vendors. The companies are developing systems that can actively block attacks and passively detect them, a key recommendation in Gartner’s report in June. Debates also are raging in corporate and government IT departments about whether to buy IDS products.

Gartner’s Vice President of Research Richard Stiennon stands behind his report’s controversial conclusion – despite conceding a point or two to critics. And he remains surprised by the intensity of the firestorm, which culminated in his being challenged in July before a collection of concerned federal agencies and unhappy IDS vendors.

“It got a little ugly,” Stiennon says. “Some IDS vendors said [intrusion-prevention system] vendors were bribing me.”

The “IDS is dead” report, as it’s now widely called, stated IDS sensors used for passive monitoring of network traffic are a waste. According to Gartner, that’s because they generate a lot of false alerts about attacks and are a round-the-clock management burden for IT. Declaring IDS a “market failure,” the report advised Gartner clients to start blocking attacks outright instead of just monitoring for them, something the newer firewall-like devices – sometimes called intrusion-prevention systems (IPS) – can do. The number of IPS products is growing, though they’ve been slow to catch on with buyers.

The Gartner report prompted such an intense argument among IT officials at the Department of Defense about buying IDS that the Office of the Secretary of Defense organized a meeting at the Pentagon in July. IT representatives and procurement officials from the Army, Navy, Air Force, Federal Aviation Administration, and departments of Energy, Justice and Homeland Security were also in attendance. Also included were a handful of IDS vendors and analysts.

Stiennon had no idea he’d be facing such a crowd.

“I didn’t know the industry vendors would also be there,” he says. “As I was walking down the hall to the room, they let me know.”

According to meeting participants, Arbor Networks, Internet Security Systems (ISS), NFR Security, NetForensics and Sourcefire had been invited to represent the IDS point of view. In addition, two independent analysts, Greg Shipley, CTO at consultancy Neohapsis, and Peter Kuper, industry analyst at SG Cowen, were part of the roundtable discussion.

After Stiennon presented his “IDS is dead” arguments, he quickly came under attack by government personnel who had bought IDSs and were having to explain their purchases to procurement officials, as well as industry vendors exasperated that Stiennon was making such a sweeping condemnation.

“People were saying ‘Gartner makes statements about tracking hype, but who tracks Gartner?’ Another said Gartner had an agenda to grab press,'” Shipley says of the meeting.

But Gartner’s criticism struck a nerve with IT staff struggling to make IDS work and still dealing with worms and other threats, especially with internal software requiring patching. “The Pentagon personnel were saying, ‘We spend all this money on this security software and we still have problems,'” Shipley says.

Stiennon “was a little ganged up on,” Kuper says, adding that he found Gartner’s report on IDS to be “alarmist,” “irresponsible” and based on outdated information about IDS technology, which he says is improving.

Kuper notes that the Gartner report might be having a freezing effect on IDS spending as IT departments are pressed harder to defend buying such products. But he also doubts customers would rush to buy firewall-based IPS offerings if they are already worried about false alerts with IDS.

As for the debate, little has been resolved.

“The Gartner guys aren’t wrong in the issues they identified,” says Marty Roesch, president of Sourcefire, and creator of the open source IDS software Snort. Roesch, who attended the meeting at the Pentagon, acknowledges that false alerts are a problem the industry needs to address. But, he adds, Gartner is “wrong in their conclusions. To recommend you don’t need IDS anymore is ludicrous.”

Shipley also defends IDS – to a point.

“Before you say they’ve failed, ask what did you intend them to do?” he says. As passive-monitoring systems, IDSs – fostered two decades ago through Defense Department research money – are primarily for auditing purposes, Shipley says.

In contrast, a firewall – the preferred Gartner approach – is “an enforcement device.” He says it’s not a clear-cut case that it makes sense to drop IDS for a firewall-like IPS that blocks traffic. There’s a role for both.

Stiennon says his report erred in saying IDS products don’t work over 600M bit/sec, as such systems now are reaching 750M bit/sec and higher.

While the Pentagon declined to comment on the IDS showdown or how future IDS and IPS purchasing might go, the meeting in July ended with no clear winner, according to several attendees.

“Defense Department people ended by summing up saying there’s no clear decision today, but they don’t like these false positives and 24-7 monitoring with IDS,” Stiennon says. He adds that IDS vendors – many of which are adding IPS equipment to their lineups – now tell him that many government agencies in their RFPs are requiring in-line blocking at least as an option.

Customers following debate

Customers in the private sector are monitoring the debate with great interest.

“We see relatively few false positives,” says Roger Safian, information security coordinator at Northwestern University in Evanston, Ill., which is using Lancope’s StealthWatch IDS appliance to monitor network traffic in and out of the university’s network. Asked if he would consider blocking attack traffic with an IPS, he said, “I’m worried IPS will block legitimate traffic as well.”

One concern with using an IPS is that a knowledgeable attacker could “figure out how to turn off your network” by tricking a device into blocking everything, says John McEachen, associate professor of electrical engineering at the government’s Naval Postgraduate School in Monterey, Calif., which uses StealthWatch IDS.

He also notes that the U.S Pacific Command, based in Hawaii, is using a version of StealthWatch with a graphics-network-display addition called Therminator.

McEachen says military training calls for reliance on an “active watch standard” based on “human cognition as to what to do next.” He says that means “human operators make decisions” when it comes to network attacks. Shifting to an IPS-based perspective in the military would entail change, but he says IPS could be seen as complementary to IDS.

“I’m a Gartner customer,” says Andrew Conte, director of IT and chief information security officer at Home Box Office in New York. While the “IDS is dead” report has been food for thought, he says he’s not ready to throw out his IDS for an IPS, which he sees as somewhat “immature” in terms of technology and market scope. “And you may be blocking valid traffic using IPS,” he adds.

Paul Samadani, director of corporate technology services at Pentair, a tool maker in St. Paul, Minn., that uses the Sourcefire IDS, also is leery of IPS.

“I just don’t think we’re at the place [where] we can do this well technically,” he says, adding he questions Gartner’s advice on this score.

However, many vendors that have their roots in passive IDS monitoring, including Sourcefire, also are developing products that can handle active blocking. Although it would mean designing an in-line device that analyzes by mirroring traffic and will stop attack traffic.

IDS vendor Intrusion last week introduced its first IPS sensor, SecureNet Sensor 5.0. And next week ISS will take the wraps off its Proventia line of multi-use IPS appliances at an event at Fox Electronics in San Jose. Gartner’s Stiennon is expected to be there, along with Howard Schmidt, chief security officer of eBay and former White House security adviser.

A vote of confidence on IDS comes from computer forensics software maker Guidance Software, which this month is adding the ability in its Enterprise Edition 4.16 to capture data instantly, based on an IDS alert from Internet Security Systems and Enterasys products. “We have faith in IDS, with fine-tuning,” says Jon Blair, Guidance’s senior director of product development.

“IDS has gotten a bad rap,” says Richard Kagan, vice president of marketing at Fortinet, which sells IDS and IPS products. “Gartner’s entire argument is malformed. IDS is like having a camera on the side of the highway. IPS is like a toll booth stopping the traffic. They’re entirely separate things.”


Intrusion-detection and intrusion-prevention systems each have pros and cons.
Pros Cons
Intrusion-detection systems Identify attacks, penetrations; useful for auditing, forensics. Won’t stop attacks; can raise false positives.
Intrusion-prevention systems Can block network attacks; can be used in passive IDS mode. Legitimate traffic can be blocked accidentally; as in-line devices, are potential points of failure.