EDITOR'S NOTE: The Buyer's Guide summarizes vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to http://www.winnetmag.com/buyersguide. To view previous Buyer's Guides on the Web, go to http://www.winnetmag.com/articles/index.cfm?departmentid=118.


An Intrusion Detection System (IDS) is a must-have tool for any serious in-depth computer security plan. Antivirus scanners capture known worms, viruses, and Trojan horses, and firewalls stop port intruders. But an IDS can sniff network packets to see what's really happening. For example, an IDS can detect whether your port 80 traffic is a Web request or an Instant Messaging (IM) file transfer. Firewalls and scanners can't stop a buffer-overflow attack or recognize the latest SQL injection attack, but an IDS is able to recognize and respond to attacks of these types. An advanced IDS can drop the packet before it causes harm or can modify a security parameter so that the malicious packet becomes harmless.

An IDS is typically one of two basic types: Network IDS (NIDS) or Host IDS (HIDS). Some IDSs are available in both types. This Buyer's Guide highlights NIDS and HIDS software.

NIDS
Standalone NIDS appliances are available; however, most NIDSs are software programs that you install on dedicated workstations that contain a NIC. As traffic crosses the network segment, the NIDS uses a signature-based approach similar to that of an antivirus scanner to examine the packet. Because interrogating network traffic at software speeds can slow traffic or cause misdiagnoses, an effective NIDS will have several layers of inspection filters or preprocessors. The first layer should immediately drop from the inspection pool any packet that isn't dangerous. Each descending filter layer fine-tunes the traffic and compares only the most likely suspects with the signature database.

Switched networks present special problems for a NIDS because a switch, by design, prevents one network node from seeing the traffic destined for another. In order to funnel traffic to the NIDS for inspection, you can either place sensors (also called taps or monitors) into remote segments or use a port-spanning switch to copy all traffic to a defined monitoring port.

HIDS
You install a HIDS on servers or workstations to analyze network traffic destined for the installed host. Like a NIDS, a HIDS can sniff packets on a network segment, but a HIDS is more adept at monitoring the local system for changes (e.g., system registry edits, crucial DLL modifications). Whereas a NIDS generally works across a wide range of network topologies, a HIDS is designed for a particular OS platform and monitors specific types of servers (e.g., Web, email, file). Some firewall and honeypot vendors try to pass off their products as HIDSs—don't be fooled into buying a limited-feature product.

NIDS or HIDS?
So, which type of IDS should you use? Most security experts recommend both. Use a NIDS to monitor your general network or your most important segments, such as your server farm, and use a HIDS to monitor crucial application servers.

After deployment, an IDS might log hundreds or thousands of events within a few days or weeks. Make sure your team is prepared and trained to understand the information the product will provide. False positives are by far the biggest problem with an IDS and can condition network administrators to ignore the IDS logs. Because an IDS can reveal an overwhelming amount of information, some companies outsource their IDS monitoring. Whether your company chooses this route depends on your employees' IDS knowledge and the time they have available to read the logs.

Any NIDS or HIDS you purchase should be easy to use and to install. The product should include good technical and OS-platform support and the ability to handle your network or host throughput, and it should offer several different ways to log, alert, and report on monitored traffic. Frequent signature and program updates are essential, as are good threat identification and the ability to conduct research into specific threats. Centralized management consoles for environments with multiple IDSs and product integration with a firewall or antivirus tool are additional features worth your consideration. The best IDSs go beyond detection to prevent attacks.

Obviously, no IDS is foolproof. But a properly configured, monitored IDS is essential if you want a reasonable amount of network protection in today's interconnected environment.