What network IDSs can - and can't - do

By Joel Snyder, David Newman and Rodney Thayer
Network World, 10/13/03

Original Article on Network World Web Site

Network intrusion-detection systems as a product class have been under attack recently, fueled by a series of recent Gartner reports, one of which was called "Intrusion detection is dead - long live intrusion prevention." In another, "Hype cycle for information security, 2003," Gartner opined "intrusion-detection systems are a market failure." With headlines like that, one might wonder why we did this review.

Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together.

Gartner's confusion is multiplied by the efforts of IPS vendors to create their own market niche, building on the misconceptions about network IDS. Network managers who bought network IDS expecting a set-it-and-forget-it magic bullet for network security have been disappointed, because that's not what network IDS is all about.

Rather than say what network IDS is not, it's more useful to say what it is. IDSs are designed as passive sensors to detect attacks, policy violations, misbehaviors and security misconfigurations.

As Gary Golomb, a longtime IDS researcher, notes, network IDS can provide the checks and balances on the security posture and implementation of the corporate network. "The IDS serves the single purpose of sitting back and watching over everything to see if people are still getting though," he says. "And here's a curve ball for you: After all the protective technologies [such as firewalls and virus scanners and VPNs are installed], attackers ... are still getting through! Whether it's because of vulnerabilities in network designs, application vulnerabilities or unknowingly misconfigured devices, they do get through."

Vendors such as NFR Security promote network IDS not only to detect break-ins, but also policy violations, such as passwords that are too short, FTP moving the wrong kind of files around or traffic between two systems that should not be talking. We take the position that network IDS is most appropriately deployed where an experienced security analyst with specific goals and tasks can manage it. Although network IDS can be used to answer the question "who broke into my system last week?" that's only one piece of the puzzle.

While network IDS vendors might want to market their products to network managers at all levels of experience, we find that to be an unreasonable expectation. Again, comparing network IDS to a protocol analyzer: Any midsize to large company needs one, but not everyone should be expected to know how to use it. The network IDS vendors have made great strides in reducing the noise level of IDS products and tried to make them usable by staff with varying levels of expertise.

Deciding whether network IDS is right for you is not difficult. Successful network IDS implementations depend on three critical factors:

• Security policy awareness. A network IDS cannot detect suspicious behavior unless you define what is and is not allowed on your network. If you cannot express your network security policy, then the network IDS cannot tell you about violations.

• Network awareness. Network IDS products do a poor job of automatically classifying attacks based on the system being attacked. The classic example of this is an Microsoft Windows-only attack on an Unix Web server. For network IDS data to be useful, you must know what assets are on your network and what the normal and correct traffic looks like.

• IDS architecture. The location and use of network IDS in any enterprise is a highly variable art. For IDS to be useful, it must be implemented in a way that returns useful information. This means you have to design sensor location and sensing technology based on knowledge of security policy and network assets. Network IDS cannot simply be dropped into a network any more than routers, firewalls and VPNs can be dropped in haphazardly.