Click here to see this month's buyer's guide table.
Good security practices help protect your network against attacks by intruders, malicious applications, and a host of other threats. Part of a successful security plan is having the right products in your arsenal—a simple firewall and antivirus product won’t suffice. To fully protect your network, you need intrusion detection and prevention coverage. Intrusion detection systems (IDSs) monitor for open ports on your network to detect security vulnerabilities that leave your systems open to attack. Intrusion prevention systems (IPSs) go even further, actually preventing attacks from occurring.
A multitude of IDS and IPS products exist, ranging from software and services to appliances. For this Buyer’s Guide, we focus on IDS and IPS software and services. In addition, many solutions are free—which we highlight in the accompanying table.
To determine which product is right for your environment, consider the following aspects of intrusion detection and prevention. Then, consult the Buyer’s Guide table for an overview of products.
Detection/Prevention Methods
Methods of intrusion detection vary widely. The most common type of intrusion detection is the rule-based (or signature-based) method. This type of detection compares an attack signature to network traffic to identify potential threats. Other intrusion detection methods include network behavior analysis, event log monitoring and reporting, database auditing, baseline snapshot comparison, pattern recognition, and heuristic analysis.
User Input and Configuration
In choosing an IDS/IPS, you might want to consider how much user input is required (or even possible). For example, does the program run unattended, or does it require user input? Are scans customizable—that is, do they adhere to a predefined policy, or can you apply user-created rules? You should also take into account how often the program is updated, and whether updates are automatic or user-scheduled. Update frequency can range from yearly to hourly, or even as needed in real time. Finally, do scans occur continuously, or only during scheduled times? Although for ease of use you might prefer an IDS/IPS product that runs out-of-the-box, for the best security protection you might want to be able to fine-tune the program to suit your environment and specific needs.
Management and Reporting
Even if you have the best IDS/IPS product imaginable, it’s useless if you can’t easily retrieve the information it gathers. Consider whether the program you’re looking at offers centralized management, preferably through an easy-to-use console that provides configuration, monitoring, and reporting. Another criterion to evaluate is the product’s reporting capabilities. For example, are reports canned or customizable? Also, how are reports provided (e.g., HTML, PDF, email)?
Virtualization
If your organization uses virtualization, as so many companies do these days, you need to determine whether the product you’re considering supports and can run in a virtualized environment. Can the program run on a virtual machine (VM)? Can it scan VMs? And does it work with all virtualization platforms, or only one?
Go Forth and Detect
Evaluating all the aspects of intrusion detection and prevention will help you find the best product for your environment. Once you have an IDS/IPS up and running, you can sleep easier knowing your systems are safe from attack—or at least safer than they were without it.
Related Reading:
Register
No SINGLE PIECE OF TECHNOLOGY WILL EVER RENDER A NETWORK 100% secure. Indeed, Management is a process. The most expensive IPS solutions still only identify those signatures and rules for which it is programmed. Any variation can evade the system. And what about seemingly normal usage than represents a data leak? An IPS is useless.
All equipment is just another piece to the puzzle. Ultimately an IT manager in cooperation with their management team must determine the goal of IT operations and how best to secure it. A key element, which is often overlooked, involves a consistent process for verifying all the gear (read: internal controls), policies and usage are achieving their desired effect. Too often, network engineers rely upon reviewing a device log as a means of verifying proper set-up. No device, however, will tell you what it missed. Independent verification is crucial. It's why the CFO brings in outside auditors. IT should, at the very least, consider device-independent analysis to measure the effectiveness of current systems and processes.
You can install all the IPS gear in the world and still be wide open. Management visibility will ultimately make your network most secure, even without an IPS.
SmithWill June 17, 2009 (Article Rating: