In defense of IDSs
Security UPDATE, June 18, 2003
Microsoft recently announced plans to acquire the technological and intellectual assets of GeCAD Software, a Romanian antivirus software vendor. The acquisition lets Microsoft add another layer to its existing set of security protection mechanisms across the majority of its product lines. You can read about the acquisition in the related news story, "Microsoft Gears Up for Antivirus Efforts," in this edition of Security UPDATE.
Microsoft is adding a layer of security that will eventually become available to customers. At the same time, Gartner recommends that enterprises remove a layer of security from their protection schemes.
In a press release issued last week, Gartner declared that Intrusion Detection Systems (IDSs) are a market failure because they fail to add value relative to their costs. Gartner recommends that instead of spending money on an IDS, companies spend their money on firewall solutions that offer both network-level and application-level protection.
Gartner's comments about IDSs appeared in a press release that promotes the company's recently released report, "Hype Cycles" (interested parties can purchase the report from Gartner). The report considers what the future technology will be, including whether IDSs' current popularity results more from hype than from their lasting value and cost-effectiveness. Gartner's prognosis leads me to pose a couple of questions to you. Do you believe that the cost of an IDS outweighs its benefits? Do you believe that removing your standalone IDS would benefit your enterprise?
As Gartner notes, firewalls, whether they reside in the network layer, the application layer, or the desktop layer, serve well to defend against attack. Even so, I believe IDSs have a place among the layers.
IDS technology lets you view the type of traffic traveling into your networks. Proactive IDSs sometimes reveal attack types about which firewalls "know" nothing. If IDSs are positioned behind a firewall, they can reveal and shut down attacks that bypass the firewall. If proactive IDSs are positioned in front of a firewall, they can shut down suspicious traffic before it reaches the firewall.
Gartner also notes that IDS technology often provides false positives and false negatives, that it places an increased burden on staff (requiring round-the-clock monitoring every day of the year), that it requires a tedious incident-response process, and that it can't monitor traffic at speeds exceeding 600Mbps. One could make the first three complaints about firewalls too. Firewall users deal with false detections (all shops that are serious about security must monitor many matters around the clock), and most security incidents (and even nonsecurity incidents, such as a failed server or desktop installation) are time-consuming and tedious to handle--not to mention frustrating.
As for IDSs being unable to monitor traffic that exceeds 600Mbps: That concern is addressable--because it depends in large part on the underlying hardware and OS. The fastest platforms seem to be standalone units designed for specific purposes (e.g., Internet Security Systems'--ISS's--new Proventia security appliances). Proventia appliances combine firewall, intrusion detection, VPN, and virus-scanning capabilities in standalone units that can operate at speeds that far exceed 1Gbps.
However, using a standalone all-in-one unit can sometimes create a single point of failure--a notable risk. If intruders somehow break the appliance unit, they might break all the included security features, including the firewall, IDS, and the antivirus protection. Even if you use multiple standalone units, the same holds true--an exploitable flaw in one unit might be an exploitable flaw in all identical units, depending on configuration and circumstances. In such a potential event, a multivendor and multifunction security solution might hold up better.
I think IDSs do have a place in the security market and that they're not simply overhyped solutions. But if today's firewall vendors intend to diversify their security-related offerings, they'll need to provide proven fail-safe solutions that don't create a single point of failure. And that's not an easy task, especially when it comes to the "proving" part.